This is a walk-through of how to exploit a computer system.
Please
note that some of the techniques described are illegal
if you are not authorized to use them on the target machine.
The target is the "InfoSec Prep: OSCP" box on VulnHub, which is a site that offers machines for you to practice hacking.
0) Background
The box was created by FalconSpy, and used in a contest for a prize giveaway of a 30-day voucher for Offensive Security labs and training materials, and an exam attempt at the OSCP certification. After the launch, Tib3rius donated 20 copies of his Privesc courses for runner-ups. The contest was hosted on the InfoSec Prep Discord Server.
I ran Kali Linux as my hacking operating system, but the tools and commands below can be utilized on other versions of Linux if you install them. Both Kali and the InfoSec Prep box were run as virtual machines using VirtualBox.
If you have any questions, or if you see anything below that should be added, changed, or clarified, please contact me on Twitter: https://twitter.com/john_k57
The hack begins by scanning the target system to see which ports are open...
1) Initial scan
sudo nmap -T4 -p- 192.168.0.202
Note: Instead of 192.168.0.202 in these walkthrough steps, use whatever URL is displayed on the InfoSec Prep box's login screen when you spin it up in VirtualBox.
sudo enables you to run commands as the root user.
nmap is a network mapper: https://nmap.org/book/man.html
- -T4 sets the speed 1-5, with 1 being slowest, and 5 being fastest but can miss things, so 4 is ideal.
- -p- scans all ports, instead of the default first 1000.
Nmap results show 3 open ports:
2) Detailed scan of open ports
sudo nmap -A -T4 -p22,80,33060 192.168.0.202
- -A does a more thorough scan including version detection and script scanning.
- -p22,30,33060 scans only those 3 ports.
The scan results list a suspicious file:
3) Examine suspicious file
wget http://192.168.0.202/secret.txt
- wget retrieves the file
cat secret.txt
- cat displays the contents
Or you could visit the URL from the wget command in a browser.
Partial contents of secret.txt:
It is encoded, and the "==" at the end points to Base64 encoding.
- Base64 info: https://en.wikipedia.org/wiki/Base64
- Discussion of "=" used as "padding" in Base64: https://stackoverflow.com/questions/6916805/why-does-a-base64-encoded-string-have-an-sign-at-the-end
4) Decode file
base64 -d secret.txt > secret.decoded
base64 command manual pages: https://man7.org/linux/man-pages/man1/base64.1.html
- -d decodes
- > directs the output to a new file, "secret.decoded"
cat secret.decoded
Or you could use an online Base63 decoder like: https://www.base64decode.org/
Decoded file contents:
...it's an OpenSSH Private Key.
5) Use Private Key to log in through SSH
See "Log In Using Your Private Key" at: https://serverpilot.io/docs/how-to-use-ssh-public-key-authentication/
We need the username to do that. You can generate the public key from the private key, and it will reveal the username: https://blog.tinned-software.net/generate-public-ssh-key-from-private-ssh-key/
sudo ssh-keygen -y -f secret.decoded > secret.pub
and then
cat secret.pub
The public key file ends with:
...so the user is "oscp".
Or, if you visit the website the box is running (i.e. at http://192.168.0.202/ in this example), we see it is a WordPress blog and the post there says:
Use the username with the OpenSSH Private Key:
sudo ssh -i secret.decoded oscp@192.168.0.202
sudo ssh -i secret.decoded oscp@192.168.0.202
...that worked! We are logged in:
6) Attempt to get flag
The location of the flag is indicated on VulnHub:
cat /root/flag.txt
But it appears we do not have permission:
7) Privilege escalation
Try the basics first:
sudo su -
...but we do not know the password, since we logged in using a private key instead.
Next see "What 'Advanced Linux File Permissions' are used? Sticky bits, SUID & GUID" at: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Check for sticky bits, SUID (chmod 4000), which will run as the owner, not the user who executes it:
find / -perm -u=s -type f 2>/dev/null
Look for those that are known to be useful for possible privilege escalation, like bash, cat, cp, echo, find, less, more, nano, nmap, vim and others: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
/usr/bin/bash is on the list!
We can view the permissions:
ls /usr/bin/bash -l
- ls lists it
- -l uses the long listing format, which includes permissions
It can execute as root, since it has the “s” in permissions and the owner is root: https://pentestlab.blog/category/privilege-escalation/
The -p option with the bash command will run privileged mode:
- https://unix.stackexchange.com/questions/116792/privileged-mode-in-bash
- https://unix.stackexchange.com/questions/439056/how-to-understand-bash-privileged-mode
bash -p
then to confirm:
whoami
...we have a shell as root!
8) Capture the flag
cat /root/flag.txt
---------------------------------------------
Here's the entire process beginning-to-end, boot2root:
This is the link to the write-up by the box's creator, which includes alternate ways to root: http://falconspy.org/oscp/2020/08/04/InfoSec-Prep-OSCP-Vulnhub-Walkthrough.html