I made a little break from HTB to try out a boot2root machine that a friend of me recently released on Vulnhub. Stripe is a easy to medium linux machine with a little OSINT in the beggining and escalating to user by first escaping a shell. The second user is allowed to run a sudo command which gives us root access…
- Enumerate the webpage to grab the credentials
- Escape the jail shell
- Escalate to the second user through reused password
- Abuse a bash script that we can run as root
From the initial nmap scan I could notice only 2 ports open : 22 (ssh) , 80 (http) . In this case the web page should be the initial recon for this machine.
I visited the webpage and it seemed a little ugly and the redirections didnt work :
While trying to click some buttons I got redirected to http://stripes/ . In this case we have to add it to our hosts and fully navigate the site. After adding it to /etc/hosts under the local ip the website started to look complete :
So far I could notice 2 blog posts from different users. While enumerating them I noticed the post from wp-admin was a little usseles so I focused more on the post from the other user (Joe Maldonado) :
There is some clues about his preferences , favourite words and his birthday too which makes it look like an OSINT game. Being it a wordpress site , my first guess was to grab the marked words and create some wordlists or guess the password for joe , but first I would have to grab both usernames to check for a valid login.
I could simply do that by navigating into each user’s profile and check the url path :
I verified both usernames through admin login page and both returned to be valid :
So far, I tried to manually guess the password from the clues I had and try against both users but no results.
After a lot of attempts I did by trying to login to the wordpress site , I went to try against ssh by simply using one of joe favourite words + birthday as a password…
Both combinations didnt seem to work :
However I decided to only use
joe as username and … We have results :
joe:tigris1963 worked fine with the ssh client !
After some little enumeration I did , I could notice there was another user named carole , but before that I noticed we are in a jail. Joe’s shell is very restricted and I could run just few commands which could help me escape :
But I see 2 very good clues here :
I can probably export the shell to /bin/sh and abuse busctl to launch an interactive shell :
So as seen above I was able to export the shell and drop one through busctl as it uses less pager to display info and we can abuse it to spawn a shell. After getting a full shell as joe my first guess was checking at the wordpress site config and the database to gather some information for the other user .
From some researching in google I found out that wordpress files are usually stored undes /srv folder and I was able to dig in.
By looking around config I can see the database password and the user which seems to be wp-user . I tried to dump the mysql database but returned with nothing interesting so I returned to the first blog from wp-user which seems to be Carole :
So I can maybe login in machine using the same database password ? :
Yeah I could , and from here I can grab the user flag :
Root Escalation (Unintended)
Simple enumerating returned with interesting information :
Under Carole folder there seems to be a bash script sending a message to
sudo -l returns that I can also run it as sudo :
We can edit the script so my guess was to simply edit the bash script to a reverse shell and run as sudo which could return me a root shell in my listener :
I opened a netcat listener in another shell and simply ran the script using sudo because I can do that :
I was able to simply get a root shell and grab the prize (flag) .
While retrying several ways to I also found one more unintended root before finally figuring out the intended root.
While reading the script I could simply play with the message path by adding a symlink to
and.. while it executes it reads the root flag as a sending message since I made a symlink of the flag with the message…
After sometime of analyzing the code I saw that I can also abuse the eval function and call system commands through it, which was also meant to be the intended root privesc for this machine …
I can edit the
msg4joe file and add commands to it :
;'id' >> /tmp/id
We simply inject command
id to be executed and send results to
This was my first time trying a Vulnhub machine and this box learned me some new tricks of escaping shells. Thanks to Kyn, I will now take a closer look to vulnhub machines which seem very interesting too…and as always THANK YOU for reading :)