Tre OffSec Walkthrough: Today, I am going to share a writeup for the boot2root challenge of the vulnhub machine “Tre:1” also Available on OffSec Play. difficulty level of this machine is the intermediate level. And for this machine goal is to read the root shell.
Table of Content
Recon
- Nmap
- dirb
Exploitation
- Adminer exploit
- ssh login
- Exploitable writable file
Privilege Escalation
Abusing Writable File with root perm add SUID to Bash
Beginning the initial enumeration.

Running the default nmap scripts.

Running gobuster to enumerate.

We see an instance of mantisbt running, we run gobuster on it to further enumerate.

There are many interesting pages here. One in particular on http://192.168.237.84/mantisbt/config/a.txt contains db credentials to a mysql database.

We saw earlier about an adminer instance running at /adminer. We can see that the found credentials work with this.

The mantis_user_table looks interesting, we enumerate the contents of the table.

We can use these credentials of tre to ssh into the box.

Privilege Escalation:
Running Linpeas on the machine, we see check-system has a write permission.

Modified it to add SUID bit into the /bin/bash file.

This should work once the system restarts. We have sudo privileges to shutdown the system.
sudo shutdown -r now
This restarts the system and adds the SUID bit on the /bin/bash file. We can use this to do privilege escalation.

Finally this lab solve 😉
Also Read | Solstice OffSec Walkthrough