Jun 2, 2021
PG — InfoSecPrep— Walkthrough (Offensive Security Proving Grounds Play Boxes)
Introduction
This article aims to walk you through InfoSecPrep box, produced by FalconSpy and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is a kind of boot2root, easy and fun box. Hope you enjoy reading the walkthrough!
Reconnaissance
As we are already provided with IP address of the box, we will scan it via Nmap.
Scanning
We are going to scan the IP for 1000 default ports by typing the following command on our terminal.
nmap 192.168.x.x
After waiting for a while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 22,80 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Moreover, we already see a page named secret.txt, which shows where we should start first.
Enumeration
We open our browser and type IP address of the box.
We see that it is a WordPress CMS, before enumerating further, we check /secret.txt file as we saw it in the first place on nmap scan.
We come accross an encoded string. The string ends with two equal signs which indicates that it is encoded in base64.
We will curl the link to get string on our terminal.
curl http://192.168.x.x/secret.txt
Now, we will curl the link again, but we will pipe it through base64 command and use -d argument in order to decode the string.
curl http://192.168.x.x/secret.txt | base64 -d
Now, we see that it is an SSH private key, which is probably our way to get a low shell on the machine.
We will enumerate the page further in order to get possible users on the box. We see that there is a note written on the homepage that says the only user on the box is oscp.
Exploitation
We will copy SSH private key we decoded into a file, and we will try to log in on the box as oscp user after chmoding the private key.
Now we are ready to build a connection to the box with the following command.
ssh -i private.key oscp@192.168.x.x
We successfuly connect to the box, now we will get our low shell hash.
Privilege Escalation
After checking common vulnerabilities or misconfigurations, we find that /bin/bash is a very important SUID binary, which gives us the opportunity to escalate our privilege on the box.
find / -perm -u=s -type f 2>/dev/null
For SUID binaries, we generally check GTFOBins since it provides a plethora of privilege escalation commands for SUID binaries found on the target systems.
And we see that we are able to escalate our privilege on the machine just providing -p argument following /bin/bash.
So, we execute the command as follows:
/bin/bash -p
And our EUID and EGID now have root privileges.
So, we get our root hash.
Now we have full authority on the box. Enjoy!
