Skip to content

Amine-Elbekari/boot2root

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Boot2Root Status Team

🔓 Boot2Root (B2R)

A Hands-On Cybersecurity Challenge | Collaborative Security Audit


📋 Project Overview

Boot2Root is a comprehensive, hands-on cybersecurity challenge that simulates a real-world penetration testing scenario. The objective is to discover, exploit, and document vulnerabilities within a target system to achieve full system control (root access).

This project was developed as a collaborative security audit by a team of three members, demonstrating the power of teamwork, information sharing, and diverse analytical approaches in tackling complex security challenges.

Important

Core Constraint: All exploitation must be performed against live server services only. Modifying the ISO or exploiting the bootloader (GRUB) is strictly prohibited. This ensures the audit reflects real-world attack scenarios where physical access to the system is not available.


🎯 The "Root" Mission

The ultimate goal is obtaining a real shell with root privileges (UID 0). This challenge requires two distinct exploitation methods to validate the mandatory requirements:

Path Exploitation Method Description
Writeup 1 Multi-Stage Privilege Escalation + Ret2libc Web exploitation → Credential harvesting → RCE → Binary challenges → Buffer overflow
Writeup 2 Kernel Exploitation (Dirty COW) Exploiting CVE-2016-5195 race condition vulnerability

🛡️ Technical Environment

Specification Details
Architecture 64-bit Virtual Machine
Kernel Version 3.2.0 (vulnerable to Dirty COW)
Initial Challenge Discovery of the "hidden" target IP address
Services Discovered /forum, /phpmyadmin, /webmail

🗂️ Repository Structure

boot2root/
├── 📄 README.md                  # Project documentation
├── 📝 walkthrough-1              # Primary exploitation path (Ret2libc)
├── 📝 walkthrough-2              # Alternative path (Dirty COW)
├── 📁 scripts/                   # Exploitation tools & automation
│   ├── combine_files.py          # Assembles scattered code fragments
│   ├── turtle_draw.py            # Decodes turtle graphics challenge
│   ├── tutrle_combination_words.py # Generates anagram permutations
│   └── turtle_comb_md5_solve.sh  # MD5 hash generation for brute-force
└── 📁 bonus/                     # Additional unique root exploitation vectors

📖 Methodology & Write-ups

Exploitation Path 1: Multi-Stage Privilege Escalation → Ret2libc

A systematic approach through multiple privilege escalation stages:

flowchart TD
    A[🔍 Reconnaissance] --> B[📋 Log Analysis]
    B --> C[🔑 Credential Harvesting]
    C --> D[💉 SQL Injection → RCE]
    D --> E[📁 Local Enumeration]
    E --> F[🧩 Binary Challenges]
    F --> G[🐢 Turtle Decoding]
    G --> H[💥 Buffer Overflow - Ret2libc]
    H --> I[👑 ROOT ACCESS]
Loading
Phase Technique Outcome
Reconnaissance nmap + dirb enumeration Discovered web applications
Initial Foothold Leaked credentials in public logs Access to forum as lmezard
Lateral Movement Password reuse across services Admin webmail access
RCE PHP reverse shell via SQL INTO OUTFILE Web server shell
Priv Esc 1 Password file in /home/LOOKATME Access to lmezard
ft_fun Challenge Reassembled fragmented C source code Access to laurie
Bomb Challenge Reverse engineering 6-phase binary Access to thor
Turtle Challenge Graphics decoding + MD5 hash cracking Access to zaz
Root Exploitation ret2libc buffer overflow on setuid binary UID 0 achieved

Exploitation Path 2: Dirty COW Kernel Exploit (CVE-2016-5195)

A direct approach exploiting a critical Linux kernel vulnerability:

Warning

Dirty COW is a race condition in the kernel's Copy-on-Write mechanism that allows local privilege escalation by writing to read-only memory mappings.

Attack Methodology:

  1. Identify vulnerable kernel version (3.2.0)
  2. Transfer and compile PoC exploit
  3. Exploit modifies /etc/passwd to create root-level user
  4. Switch to the newly created user with root privileges

🔧 Scripts & Tools

Script Purpose
combine_files.py Reassembles fragmented code snippets from the ft_fun challenge
turtle_draw.py Parses French turtle graphics instructions and renders the hidden message
tutrle_combination_words.py Generates all permutations of the anagram puzzle
turtle_comb_md5_solve.sh Creates MD5 hash wordlist for SSH brute-force

🤝 Team Collaboration

This project represents a collaborative effort by a three-person team. The shared approach and diverse perspectives contributed significantly to solving complex challenges that required:

  • Critical Thinking: Analytical approaches to reverse engineering and cryptographic puzzles
  • Information Sharing: Collective knowledge pooling to identify exploitation vectors
  • Diverse Skill Sets: Combining expertise in web security, binary exploitation, and kernel vulnerabilities

Note

All exploitation techniques were documented in detail to facilitate knowledge transfer and reproducibility.


⚖️ Ethics & Professional Integrity

Caution

No Cheating Policy: This audit was conducted with complete professional integrity. Exploiting the boot loader (GRUB) or modifying the ISO was strictly prohibited and not attempted. All root access was achieved through legitimate vulnerability exploitation against live services.

  • ✅ Brute-forcing prohibited - Required logical and analytical approaches
  • ✅ All write-ups documented in English with step-by-step detail
  • ✅ Attack vectors demonstrate real-world penetration testing methodology

📚 References & Tools Used

Tool Purpose
nmap Network reconnaissance and port scanning
dirb Web directory enumeration
netcat Reverse shell listener
GDB Binary analysis and debugging
Hydra SSH credential brute-forcing
Ghidra Binary reverse engineering
PortSweeger Network reconnaissance

🔐 Developed as part of the 42 School Security Curriculum 🔐

All activities were performed in isolated environments for educational purposes only.

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors