Boolean Proving Grounds Write-Up
SUMMARY
This write-up covers the Boolean machine from Offsec’s Proving Grounds, a Linux machine where a logic flaw in account registration led to file system access.
A web application on port 80 allowed user registration but required email confirmation before granting upload access. Intercepting the registration request with Burp Suite revealed a hidden confirmed field. Adding this field with the value true bypassed email verification, immediately granting upload permissions. Inspecting a file download path after uploading exposed a Local File Inclusion vulnerability by manipulating the cwd and file parameters, arbitrary files such as /etc/passwd could be read.
Enumerating the user remi’s home directory via LFI revealed a .ssh directory. The attacker’s public key was uploaded as authorized_keys, granting SSH access as remi. Inside the .ssh/keys directory, a root SSH private key was found. Using ssh -o IdentitiesOnly=yes, the key was used to authenticate as root.
PATH TO FOLLOW
- Reconnaissance & Web Application Discovery
- Registration with
confirmedParameter Bypass - LFI via File Download Parameter Manipulation
- SSH Authorized Keys Upload for Access as
remi - Root SSH Key Discovery in User Home Directory
- Shell as Root via SSH Private Key
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.