Tre OffSec Walkthrough

2 Min Read

Tre OffSec Walkthrough: Today, I am going to share a writeup for the boot2root challenge of the vulnhub machine “Tre:1” also Available on OffSec Play. difficulty level of this machine is the intermediate level. And for this machine goal is to read the root shell.

Table of Content

Recon

  • Nmap
  • dirb

Exploitation

  • Adminer exploit
  • ssh login
  • Exploitable writable file

Privilege Escalation

Abusing Writable File with root perm add SUID to Bash

Beginning the initial enumeration.

nmap scan

Running the default nmap scripts.

nmap full scan

Running gobuster to enumerate.

gobuster dir search

We see an instance of mantisbt running, we run gobuster on it to further enumerate.

hidden dir

There are many interesting pages here. One in particular on http://192.168.237.84/mantisbt/config/a.txt contains db credentials to a mysql database.

config file

We saw earlier about an adminer instance running at /adminer. We can see that the found credentials work with this.

admin web page

The mantis_user_table looks interesting, we enumerate the contents of the table.

mysql database

We can use these credentials of tre to ssh into the box.

ssh user login

Privilege Escalation:

Running Linpeas on the machine, we see check-system has a write permission.

linpeas script

Modified it to add SUID bit into the /bin/bash file.

add SUID to Check-system

This should work once the system restarts. We have sudo privileges to shutdown the system.

sudo shutdown -r now

This restarts the system and adds the SUID bit on the /bin/bash file. We can use this to do privilege escalation.

root flag

Finally this lab solve 😉

Also Read | Solstice OffSec Walkthrough

Share This Article