John The Troll (CTF – Africahackon) – Key 3-Part-2

Following the previous article where all exploits failed , there are still 2 doors down :

• Nmap be abit old
• Go for some “GRUB“. 

Nmap be abit old

Now for this bit nmap is old its version 3.81. This can be abused via the –interactive option. More information on this can be found here. But basically this is how it goes down.

• Login with the chicken account acquired in key 2
• load nmap interactive
• drop to shell as root
• go to root folder and get key then decode it.

abusing nmap interactive shell

Option 2 not the best but works , it would encompass a threat where you have physical access to the machine not a remote shell;

Go for some GRUB

Now for this we will simply be seeking to change options at boot time.

• Select the recovery mode boot entry in the GRUB menu and press e to edit the line.
• Select the kernel line and press e again to edit it.

entering edit mode

• Remove the ro setting on the line that loads and switch it to rw – Traditionally the kernel starts with the disk in read-only mode and a process later on checks the integrity of the disk before switching to read-write.
• Append init=/bin/bash at the end of line – When the machine boots, it runs a program called init, usually found at /bin/init or /sbin/init. It’s purposed to perform all the system startup and creation of a usable environment ; this tells the kernel to run BASH Shell instead.

appending the init function to load bash

• press b to boot the system
• Use the passwd command to create a new root password.

Resetting the root password

• reboot the system
• Login with the new account
• Get the key

Get the Key as root

And that concludes key 3:

whyyourootbroAfricahackonKey3