Skip to main content

VULNHUB INFOSEC PREP : OSCP


Welcome to the walkthrough of InfoSec Prep: OSCP walkthrough. It is a beginner-level boot2root machine and it can be downloaded from here.

I cracked this machine literally 5 minutes after it booted properly. So you can consider this machine the easiest. 

Hint:

  1. Nmap
  2. Finding secret.txt and decoding it.
  3. Login via ssh.
  4. Privilege escalation to root via SUID binary. 


Boot up the machine and it should show the IP address.


We start off by pinging the box to verify that the box is up and running and we can reach out to it.
Command: ping <IP>


Then we can run Nmap scan to look for open ports and services running on the box.
We will use -sC for running default scripts, -sV for Version/Service info and -T4 for faster execution, and -o for saving the result on a file named nmap
The command is: sudo nmap -sC -sV -T4 <IP> -o filename


Looking at the scan results, port 22 is open and running ssh, and port 80 is open, and it's running Apache.
We can also see a directory named secret.txt as a disallowed entry in the robots.txt file. 

# Port 80 Enumeration


The web server has some content regarding the challenge that was released with the box.


But there's some useful info too. it tells you clearly that there is only one user on the box named "oscp".
So we know a username. Let's visit the secret.txt file that we found in the Nmap scans.


Looking at the content we see lots of text, but if you look it ends with "==" which means this may be base64 encoded. Copy the contents to your system and decode it using the command.
cat secret.txt |base64 -d



So it is a ssh private key. Now we have a username and a private key. Let's try logging in via ssh.
But first, remember to modify the permission for the private key.
Command: chmod 600 key
Log in via ssh: ssh -i key oscp@<IP>


And we log in successfully. Since we logged in as oscp we need to do some kind of privilege escalation to gain root access.

# Finding SUID binaries
Use the command: find / -perm -4000 2>/dev/null


We can see bash is set to SUID and abusing it is very easy.
Run the command bash -p and we are root.


Grab the root flag.

# Root via cronjob.
 If you visit the home directory of oscp user, there is a bash script named "ip" that's running as a cronjob. Since the file is in the user's home directory we can edit it and put our reverse shell into it and when cronjob runs we get a shell as the root user.
Add the reverse shell into the bash script.


Set up a Netcat listener to catch the reverse shell.
Command: nc -nvlp 1234


# Privilege Escalation by abusing lxd group.

First, we need to find the absolute path to lxc and lxd binaries to run the commands.



After the pool has been created we just need to run these commands on the victim.


And we are root users now.


Thanks for reading.

Comments

Post a Comment

Popular posts from this blog

Beginners Code Review Part 1

  Image credits to  Leobit This is a walkthrough of an exercise created by  PentesterLab  as a free course for learning beginner-friendly source code review. The link to the source code is here . Either clone it or download it as a zip locally. As instructed in the exercise we won't run the run, just read through the source code and look for possible weaknesses that we can leverage into vulnerabilities. LIST OF WEAKNESSES You can find below the list of issues present in the application: Hardcoded credentials or secrets Information leak Missing security flags Weak password hashing mechanism Cross-Site Scripting No CSRF protection Directory Listing Crypto issue Signature bypass Authentication bypass Authorization bypass Remote Code Execution Hand-On Findings and Objectives * Hardcoded credentials or secrets      ...
Post a Comment
Read more

HTB LAME WALKTHROUGH

HackTheBox  is an excellent platform for various pen-testers to increase their testing skills and increasing knowledge. Machine Level -Easy Machine Name -Lame Machine OS -Linux Machine IP -10.10.10.3 Tools: Nmap  -Nmap is a fantastic tool for scanning open ports, services, and OS detection. You can use other tools other than Nmap (whichever you are more comfortable with ) like Masscan, SPARTA, etc to scan for open ports. Metasploit  -One of the most common and widely used tools by pen-testers to launch exploits, it is maintained by Rapid 7. Many books are available to understand the features of this tool. We will be performing the attack by two methodologies (using and without using Metasploit). Methodology 1 (using Metasploit) Scanning the machine is the first step(i.e. Enumeration). We use the following Nmap command, nmap -sSVC 10.10.10.3 (we can run the command with sudo privileges if an error occurs regarding privileges.) The command scans f...
Post a Comment
Read more