PG — Born2Root: 1— Walkthrough (Offensive Security Proving Grounds Play Boxes)

Introduction

This article aims to walk you through Born2Root: 1 box produced by Hadi Mene and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this box, this is an intermediate and fun box. Hope you enjoy reading the walkthrough!

Reconnaissance

Since we are already provided with IP address of the box, we will scan it via Nmap.

Scanning

We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.

nmap -p- 192.168.x.x

After waiting for a while, we have got our results as shown below:

Nmap Port Scanning

To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.

nmap -p 22,80,111,44532 192.168.x.x -sV -sC

In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as other ports do not provide us with a broad attack surface as an http server does for this box.

Nmap Specified Port Scanning

Enumeration

First of all, we type IP address in our browser.

Http Enumeration

We find that there is Secretsec security company’s information page on http server, and we enumerate source code and find nothing particular.

In this case, we decide to run gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And to make bruteforcing process fast, we will specify threads as 30 by -t argument.

gobuster dir -u http://192.168.x.x/ -w /usr/share/wordlists/dirb/common.txt -t 30

Gobuster Directory Bruteforcing Results

We have several directories to enumerate further, and /robots.txt to see disallowed directories.

Http Enumeration

We see that there is a WordPress blog in hidden directories. And we will check it as it is one of the low hanging fruits for us as attackers.

Http Enumeration for WordPress-blog

We see that it is just to troll us. So we check /files directory and get nothing as well. We go back to check our gobuster results and decide to take a look at /icons directory.

Icons Directory Enumeration

We encounter a .txt file that catch our attention and we click on VDSoyuAXİO.txt to open.

SSH Private Key

On that .txt file, we find an SSH id_rsa private key, which is most probably the way to get the low shell on the box.

If we check the page we saw earlier, we have several names on About Us and an email on Contact Us sections.

Http Information Gathering

Exploitation

Now, we have an SSH private key and three names which are Martin, Hadi, and Jimmy. We will try to log in on SSH server via private key we found trying these three names. So, we will change permissions of private key and then try to log in with the following command.

chmod 600 id_rsa

ssh -i id_rsa martin@192.168.x.x

SSH Login

We successfully logged in on the SSH server on the first try as the user Martin. While logging in the server, it will ask for a password, just hit enter.

Now, we will get our low shell hash.

Getting Low Shell Hash

Privilege Escalation

We enumerate the machine to find weak services and files on the server.

Crontab Enumeration

We discover there is a cron-job that executes a python script every five minutes as user Jimmy. We will try to edit that python script in order to login as user Jimmy, which may provide us the path for root shell. However, there is no python script called sekurity.py in /tmp folder. So we will create one to get a reverse shell as user Jimmy.

Python Script for Reverse Shell

Before saving our script in /tmp folder, we will set up a netcat listener on our terminal.

Setting up a Netcat Listener

We are ready to save our script and wait for a reverse shell.

Concatenating the Python Script

After waiting for a while, we have got a reverse shell as user Jimmy. Be aware that it will take time since cron job is set to execute the script every five minutes.

Getting a Reverse Shell as Jimmy

As user Jimmy, we enumerate the box to escalate our privileges but we find nothing particular on the box.

We are left with a last user on the box who is Hadi that we did not get a shell and enumerate further. So, we will create a custom wordlist based on this name, and we will bruteforce SSH server.

For custom wordlist creation, we use bopscrk tool which is a python script.

Creating Custom Wordlist

Now, we have a name and a password list, so we bruteforce SSH server using patator tool that is a great tool for bruteforce attacks on a variety of services.

Patator Usage

We check the arguments that we should use in order to make our tool work correctly. And we use the following command to start the attack.

patator ssh_login host=192.168.x.x user=hadi password=FILE0 0=tmp.txt -x ignore:mesg=‘Authentication failed.’

Bruteforcing SSH Server

And we find the password for user Hadi.

Now, we log in on SSH server as user hadi.

Login on SSH server

Since we have the password of the user, we will login as super user with the same password we found to get root privileges on the system. And we will get our root hash.

Log in as Root and Getting Root Hash

Now we have full authority on the box. Enjoy!

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store