PG — Born2Root: 1— Walkthrough (Offensive Security Proving Grounds Play Boxes)
This article aims to walk you through Born2Root: 1 box produced by Hadi Mene and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this box, this is an intermediate and fun box. Hope you enjoy reading the walkthrough!
Since we are already provided with IP address of the box, we will scan it via Nmap.
We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.
nmap -p- 192.168.x.x
After waiting for a while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 22,80,111,44532 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as other ports do not provide us with a broad attack surface as an http server does for this box.
First of all, we type IP address in our browser.
We find that there is Secretsec security company’s information page on http server, and we enumerate source code and find nothing particular.
In this case, we decide to run gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And to make bruteforcing process fast, we will specify threads as 30 by -t argument.
gobuster dir -u http://192.168.x.x/ -w /usr/share/wordlists/dirb/common.txt -t 30
We have several directories to enumerate further, and /robots.txt to see disallowed directories.
We see that there is a WordPress blog in hidden directories. And we will check it as it is one of the low hanging fruits for us as attackers.
We see that it is just to troll us. So we check /files directory and get nothing as well. We go back to check our gobuster results and decide to take a look at /icons directory.
We encounter a .txt file that catch our attention and we click on VDSoyuAXİO.txt to open.
On that .txt file, we find an SSH id_rsa private key, which is most probably the way to get the low shell on the box.
If we check the page we saw earlier, we have several names on About Us and an email on Contact Us sections.
Now, we have an SSH private key and three names which are Martin, Hadi, and Jimmy. We will try to log in on SSH server via private key we found trying these three names. So, we will change permissions of private key and then try to log in with the following command.
chmod 600 id_rsa
ssh -i id_rsa email@example.com
We successfully logged in on the SSH server on the first try as the user Martin. While logging in the server, it will ask for a password, just hit enter.
Now, we will get our low shell hash.
We enumerate the machine to find weak services and files on the server.
We discover there is a cron-job that executes a python script every five minutes as user Jimmy. We will try to edit that python script in order to login as user Jimmy, which may provide us the path for root shell. However, there is no python script called sekurity.py in /tmp folder. So we will create one to get a reverse shell as user Jimmy.
Before saving our script in /tmp folder, we will set up a netcat listener on our terminal.
We are ready to save our script and wait for a reverse shell.
After waiting for a while, we have got a reverse shell as user Jimmy. Be aware that it will take time since cron job is set to execute the script every five minutes.
As user Jimmy, we enumerate the box to escalate our privileges but we find nothing particular on the box.
We are left with a last user on the box who is Hadi that we did not get a shell and enumerate further. So, we will create a custom wordlist based on this name, and we will bruteforce SSH server.
For custom wordlist creation, we use bopscrk tool which is a python script.
Now, we have a name and a password list, so we bruteforce SSH server using patator tool that is a great tool for bruteforce attacks on a variety of services.
We check the arguments that we should use in order to make our tool work correctly. And we use the following command to start the attack.
patator ssh_login host=192.168.x.x user=hadi password=FILE0 0=tmp.txt -x ignore:mesg=‘Authentication failed.’
And we find the password for user Hadi.
Now, we log in on SSH server as user hadi.
Since we have the password of the user, we will login as super user with the same password we found to get root privileges on the system. And we will get our root hash.
Now we have full authority on the box. Enjoy!
Basic Linux Privilege Escalation
Before starting, I would like to point out - I'm no expert. As far as I know, there isn't a "magic" answer, in this…
Nmap: the Network Mapper - Free Security Scanner
Nmap 7.90 has been released with Npcap 1.00 along with dozens of other performance improvements, bug fixes, and feature…
Proving Grounds Play and Practice | Offensive Security
Practice your pentesting skills in a standalone, private lab environment with the additions of PG Play and PG Practice…
netcat - Wikipedia
netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections…
bopscrk ( Before Outset Pa Ssword CRac K ing) is a tool to generate smart and powerful wordlists for targeted attacks…