PG — InfoSecPrep— Walkthrough (Offensive Security Proving Grounds Play Boxes)

Introduction

This article aims to walk you through InfoSecPrep box, produced by FalconSpy and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is a kind of boot2root, easy and fun box. Hope you enjoy reading the walkthrough!

Reconnaissance

As we are already provided with IP address of the box, we will scan it via Nmap.

Scanning

We are going to scan the IP for 1000 default ports by typing the following command on our terminal.

nmap 192.168.x.x

After waiting for a while, we have got our results as shown below:

Nmap Port Scanning

To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.

nmap -p 22,80 192.168.x.x -sV -sC

In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Moreover, we already see a page named secret.txt, which shows where we should start first.

Nmap Specified Port Scanning

Enumeration

We open our browser and type IP address of the box.

Enumerating HTTP Server

We see that it is a WordPress CMS, before enumerating further, we check /secret.txt file as we saw it in the first place on nmap scan.

Enumerating /secret.txt Page

We come accross an encoded string. The string ends with two equal signs which indicates that it is encoded in base64.

Base64 Encoded String

We will curl the link to get string on our terminal.

curl http://192.168.x.x/secret.txt

Curling the Link to Get Baase64 String

Now, we will curl the link again, but we will pipe it through base64 command and use -d argument in order to decode the string.

curl http://192.168.x.x/secret.txt | base64 -d

Curling the Link and Piping it to Decode

Now, we see that it is an SSH private key, which is probably our way to get a low shell on the machine.

We will enumerate the page further in order to get possible users on the box. We see that there is a note written on the homepage that says the only user on the box is oscp.

Enumerating Further

Exploitation

We will copy SSH private key we decoded into a file, and we will try to log in on the box as oscp user after chmoding the private key.

Chmoding SSH Key

Now we are ready to build a connection to the box with the following command.

ssh -i private.key oscp@192.168.x.x

SSH Connection to the Box

We successfuly connect to the box, now we will get our low shell hash.

Getting Low Shell Hash

Privilege Escalation

After checking common vulnerabilities or misconfigurations, we find that /bin/bash is a very important SUID binary, which gives us the opportunity to escalate our privilege on the box.

find / -perm -u=s -type f 2>/dev/null

Privilege Escalation Enumeration

For SUID binaries, we generally check GTFOBins since it provides a plethora of privilege escalation commands for SUID binaries found on the target systems.

And we see that we are able to escalate our privilege on the machine just providing -p argument following /bin/bash.

GTFOBins Privilege Escalation

So, we execute the command as follows:

/bin/bash -p

Executing the Command

And our EUID and EGID now have root privileges.

EUID and EGID IDs

So, we get our root hash.

Getting Root Hash

Now we have full authority on the box. Enjoy!

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store