Intro

The following is a semi-spoilerish walkthrough of the Lord of the Root VM from Vulnhub by KookSec.

Disclaimer

I'm intentionally not posting a full walkthrough with all the juicy details for a few reasons:

  1. Full (and better) walkthroughs already exist online.

  2. By not posting the full details, it allows you the chance to get just a little push in the right direction without ruining the entire challenge.

  3. I like to show my full thought, process as I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)

Write-up

Important note: I'm running VMWare fusion on a Mac and what I found with this particular VM is once I got my initial shell, the drive was completely out of space. I thought maybe this was "part of the fun" but I don't think so. So what I did is, before powering the VM on for the first time, I expanded the disk from 7 to 10 gigabytes. That helped me not run out of space anymore :-)

Ok, so upon poking around this VM's ports, TCP 22 and 80 look to be open. When you try to connect via SSH, there is a hint that some specific ports might need to be connected to in a certain order to move to the next step.

I found that NMAP worked good for this purpose. For example, if you need to knock on ports 10-12, this might work:

nmap -T4 -r --max-retries=0 -p10-12 f.q.d.n

Once the "open sesame" routine is done, a new port is open for exploration, and after dirbing its contents, a hash is discovered that, once cracked, leads to a specific folder that must also be explored (something dirb probably won't find :-). The folder's root .php file is a login page, and I tried using hydra and other tools to brute force it, but had no luck.

When I switched to sqlmap, though, I finally made some progress. This syntax is what I used:

sqlmap -u 'http://some.url.with.a/form.php' --forms --dbs"

I did the sqlmap flags that dumped usernames and passwords, and from that I got another hash that I pushed through crackstation.net. The dumping process also hinted at some usernames to try as well. I ran all user/pass combos I could find through an SSH brute-forcer and eventually found valid creds to hook a low-priv shell.

Once the low-priv shell is fully explored (run privesc scripts, poke around for services, etc.) there are a few routes to go for privesc. One was found in the file structure itself and gives you the opportunity to practice your shellcoding skills. Or, you can go the more direct (in my opinion) route using something from Exploit-DB that directly mirrors one of the situations presented in the OSCP.

Overall a really fun box with a variety of challenges - good mix of brute possibilities, Web vulns, privesc and file system hunting.