From Web Into SSH Shell | Covfefe VulnHub CTF WalkThrough

We demonstrated a simple boot2root CTF walkthrough named, Covfefe, where we performed an initial Nmap scan followed by directory discovery. We found an SSH private key accessible publicly so we used it to gain an initial SSH shell. We exploited a buffer overflow vulnerability in binary we found to elevate privielges to root.

Description

Covfefe is my Debian 9 based B2R VM, originally created as a CTF for SecTalks_BNE. It has three flags.

It is intended for beginners and requires enumeration then [spoiler]!

Highlights

Open Ports: 22,80 and 31337

Directory Enumeration can be performed using dirbuster on port 31337 to find interesting files.

First flag can be found under /robots.txt

SSH key can be downloaded by visiting /taxes/

You could then use ssh2john with rockyou.txt wordlist to extract the password.

Buffer overflow can be exploited on read_message

Video Walkthrough