Vulnhub - TENDERFOOT: 1
Introduction
A very Easy Box for beginners, I recommend this box if you are new here. Your task is to grab all the 3 flags (user1.txt, user2.txt, proof.txt).
This is TENDERFOOT: 1 from vulnhub. After banging my head on a few others, I thought I’d run through an easy box so I could feel like I actually have some idea what I’m doing :)
Ports
This box has:
- SSH on port 22, and
- HTTP on port 80.
HTTP
The frontpage of the website is the Apache default page, with a modification consisting of some hints about searching for hidden directories. The page source of /robots.txt points to a directory called /hint. The index page there contains a base32 encoded comment in the page source exhorting us to try harder.
This is all about enumeration - I’ll cut to the chase:
/entry.js contains our SSH username - monica
/fotocd/ contains some Brainfuck code that decodes to a message about SSH and a base64 encoded password - $99990$
On the box
We’re in as monica. Again, enumeration is required but ultimately we use an SUID binary that switches us to user chandler. No, literally that’s what it does.
Once we’re chandler we can find another note with some base64 encoded text that translates to passwd:Y0uCr4ckM3. This is the SSH/sudo password for chandler. Interestingly we can’t run sudo -l from our session that we got with the SUID binary, but we can exit then su chandler and then it works. Anyway chandler can run ftp as root:
So I’m at least at beginner level :)