> For the complete documentation index, see [llms.txt](https://kayra.gitbook.io/hackerkayra/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kayra.gitbook.io/hackerkayra/write-ups/proving-grounds-boxes/linux/boolean.md).

# Boolean

**Source**: Proving Grounds\
**OS**: Linux\
**Community Rating**: Very Hard

## **Enumeration & Reconnaissance**

* I started with autorecon and found these open ports:
  * **SSH (22)**
  * **HTTP (80)**
  * HTTP (33017)

## **Service Analysis**

* I began with HTTP (80). The page presented both a login and registration function. After trying SQL injection, default credentials, and random passwords with no luck on the login, I moved to registration.&#x20;

<figure><img src="/files/Q7imBfywCYk7OqFNtZU6" alt="" width="563"><figcaption><p>Boolean Login</p></figcaption></figure>

* I created a new user and attempted to log in, but received an account confirmation message:

<figure><img src="/files/KMWDHxdMsCFm7AcCZInO" alt="" width="563"><figcaption><p>Account Confirmation</p></figcaption></figure>

* There was an edit button on the confirmation page that might be a useful path. I checked HTTP (33017), but it simply displayed: "This port is reserved for potential future development should we decide to change our tech stack."

<figure><img src="/files/M0FqTOaVviAtHwWCqZ74" alt="" width="563"><figcaption><p>HTTP (33017)</p></figcaption></figure>

## **Gaining Initial Access**

* I went back to the edit function on the account confirmation page. Using Burp Suite, I examined the request body which contained:

{% code overflow="wrap" fullWidth="true" %}

```http
_method=patch&authenticity_token=ARS04mXoJP74ElbHc-g9B2VkViqX1m48TbuQL0B6NSqeVNd22UNTYbBFm3TN_cGfCH3rFwSSAr-j9S5Y7eFtnw&user%5Bemail%5D=testuser%40gmail.com&commit=Change%20email
```

{% endcode %}

* The response returned `confirmed=false`. I then modified the request by appending: `&user%5Bconfirmed=true`making the full body:

{% code overflow="wrap" fullWidth="true" %}

```
_method=patch&authenticity_token=ARS04mXoJP74ElbHc-g9B2VkViqX1m48TbuQL0B6NSqeVNd22UNTYbBFm3TN_cGfCH3rFwSSAr-j9S5Y7eFtnw&user%5Bemail%5D=testuser%40gmail.com&commit=Change%20email&user%5Bconfirmed=true
```

{% endcode %}

<figure><img src="/files/5X7vRQffqSZWSHWC1Yf7" alt="" width="563"><figcaption><p>Account Confirmation Bypass</p></figcaption></figure>

* That worked, I gained access to the web system. Inside, I discovered a file manager, which suggested potential for LFI/RFI exploitation.
* I uploaded a file and observed the URL included: "`http://192.168.192.231/?cwd=&file=image.jpg&download=true`" Assuming `cwd` stands for current working directory, I attempted LFI by visiting: `http://192.168.192.231/?cwd=../../../../../../../../`
* This led me to the root directory. Then, I checked the passwd file but found nothing useful, so I then looked for an .ssh directory. Since **SSH (22)** was open,&#x20;

<figure><img src="/files/zErenMVlISwiks0m32MH" alt="" width="563"><figcaption><p>Passwd File</p></figcaption></figure>

* I discovered an .ssh directory under user **remi**’s home. Inside, I found multiple keys, including one for root. I downloaded them and attempted to access the system, but was prompted for the root password. Trying the other keys yielded the same result.

<figure><img src="/files/yY6nfdbmHYQnK4MBM83Z" alt="" width="563"><figcaption><p>SSH Keys</p></figcaption></figure>

* I then uploaded a new key as **authorized\_keys** into the .ssh directory and logged in as remi, that worked!

<figure><img src="/files/Xt6JwcE3EEZwUCMRbPmT" alt="" width="563"><figcaption><p>SSH Access</p></figcaption></figure>

## Privilege Escalation

* Once in, I tried to use the root key from inside by running: `ssh -i root root@127.0.0.1`This attempt failed with:`Received disconnect from 127.0.0.1 port 22:2: Too many authentication failures. Disconnected from 127.0.0.1 port 22`
* I then retried with: `ssh -o IdentityAgent=none -i root root@127.0.0.1`
* This time, it worked, I was in as root.

<figure><img src="/files/frEhqZItHd5vyMxFfb1l" alt="" width="563"><figcaption><p>Root Access</p></figcaption></figure>

{% hint style="info" %}
The error occurred because the SSH client was offering too many keys (from both the specified key and the SSH agent), exceeding the server's allowed attempts. Using the `-o IdentityAgent=none` option forced the client to use only the specified key.
{% endhint %}

## **Lessons Learned**

* Account confirmation mechanisms can sometimes be bypassed by manipulating request parameters.
* A hidden file manager may expose LFI vulnerabilities; using them to navigate to sensitive directories (like .ssh) is crucial.
* When pre-existing SSH keys don’t grant access, uploading a new authorized key can be an effective workaround.
* Understanding SSH client behavior, such as the impact of multiple keys, can save time; using `-o IdentityAgent=none` ensures only the intended key is used.
