A Hands-On Cybersecurity Challenge | Collaborative Security Audit
Boot2Root is a comprehensive, hands-on cybersecurity challenge that simulates a real-world penetration testing scenario. The objective is to discover, exploit, and document vulnerabilities within a target system to achieve full system control (root access).
This project was developed as a collaborative security audit by a team of three members, demonstrating the power of teamwork, information sharing, and diverse analytical approaches in tackling complex security challenges.
Important
Core Constraint: All exploitation must be performed against live server services only. Modifying the ISO or exploiting the bootloader (GRUB) is strictly prohibited. This ensures the audit reflects real-world attack scenarios where physical access to the system is not available.
The ultimate goal is obtaining a real shell with root privileges (UID 0). This challenge requires two distinct exploitation methods to validate the mandatory requirements:
| Path | Exploitation Method | Description |
|---|---|---|
| Writeup 1 | Multi-Stage Privilege Escalation + Ret2libc | Web exploitation → Credential harvesting → RCE → Binary challenges → Buffer overflow |
| Writeup 2 | Kernel Exploitation (Dirty COW) | Exploiting CVE-2016-5195 race condition vulnerability |
| Specification | Details |
|---|---|
| Architecture | 64-bit Virtual Machine |
| Kernel Version | 3.2.0 (vulnerable to Dirty COW) |
| Initial Challenge | Discovery of the "hidden" target IP address |
| Services Discovered | /forum, /phpmyadmin, /webmail |
boot2root/
├── 📄 README.md # Project documentation
├── 📝 walkthrough-1 # Primary exploitation path (Ret2libc)
├── 📝 walkthrough-2 # Alternative path (Dirty COW)
├── 📁 scripts/ # Exploitation tools & automation
│ ├── combine_files.py # Assembles scattered code fragments
│ ├── turtle_draw.py # Decodes turtle graphics challenge
│ ├── tutrle_combination_words.py # Generates anagram permutations
│ └── turtle_comb_md5_solve.sh # MD5 hash generation for brute-force
└── 📁 bonus/ # Additional unique root exploitation vectors
A systematic approach through multiple privilege escalation stages:
flowchart TD
A[🔍 Reconnaissance] --> B[📋 Log Analysis]
B --> C[🔑 Credential Harvesting]
C --> D[💉 SQL Injection → RCE]
D --> E[📁 Local Enumeration]
E --> F[🧩 Binary Challenges]
F --> G[🐢 Turtle Decoding]
G --> H[💥 Buffer Overflow - Ret2libc]
H --> I[👑 ROOT ACCESS]
| Phase | Technique | Outcome |
|---|---|---|
| Reconnaissance | nmap + dirb enumeration |
Discovered web applications |
| Initial Foothold | Leaked credentials in public logs | Access to forum as lmezard |
| Lateral Movement | Password reuse across services | Admin webmail access |
| RCE | PHP reverse shell via SQL INTO OUTFILE |
Web server shell |
| Priv Esc 1 | Password file in /home/LOOKATME |
Access to lmezard |
| ft_fun Challenge | Reassembled fragmented C source code | Access to laurie |
| Bomb Challenge | Reverse engineering 6-phase binary | Access to thor |
| Turtle Challenge | Graphics decoding + MD5 hash cracking | Access to zaz |
| Root Exploitation | ret2libc buffer overflow on setuid binary | UID 0 achieved |
A direct approach exploiting a critical Linux kernel vulnerability:
Warning
Dirty COW is a race condition in the kernel's Copy-on-Write mechanism that allows local privilege escalation by writing to read-only memory mappings.
Attack Methodology:
- Identify vulnerable kernel version (
3.2.0) - Transfer and compile PoC exploit
- Exploit modifies
/etc/passwdto create root-level user - Switch to the newly created user with root privileges
| Script | Purpose |
|---|---|
combine_files.py |
Reassembles fragmented code snippets from the ft_fun challenge |
turtle_draw.py |
Parses French turtle graphics instructions and renders the hidden message |
tutrle_combination_words.py |
Generates all permutations of the anagram puzzle |
turtle_comb_md5_solve.sh |
Creates MD5 hash wordlist for SSH brute-force |
This project represents a collaborative effort by a three-person team. The shared approach and diverse perspectives contributed significantly to solving complex challenges that required:
- Critical Thinking: Analytical approaches to reverse engineering and cryptographic puzzles
- Information Sharing: Collective knowledge pooling to identify exploitation vectors
- Diverse Skill Sets: Combining expertise in web security, binary exploitation, and kernel vulnerabilities
Note
All exploitation techniques were documented in detail to facilitate knowledge transfer and reproducibility.
Caution
No Cheating Policy: This audit was conducted with complete professional integrity. Exploiting the boot loader (GRUB) or modifying the ISO was strictly prohibited and not attempted. All root access was achieved through legitimate vulnerability exploitation against live services.
- ✅ Brute-forcing prohibited - Required logical and analytical approaches
- ✅ All write-ups documented in English with step-by-step detail
- ✅ Attack vectors demonstrate real-world penetration testing methodology
| Tool | Purpose |
|---|---|
| nmap | Network reconnaissance and port scanning |
| dirb | Web directory enumeration |
| netcat | Reverse shell listener |
| GDB | Binary analysis and debugging |
| Hydra | SSH credential brute-forcing |
| Ghidra | Binary reverse engineering |
| PortSweeger | Network reconnaissance |
🔐 Developed as part of the 42 School Security Curriculum 🔐
All activities were performed in isolated environments for educational purposes only.