PG — Pwned1— Walkthrough (Offensive Security Proving Grounds Play Boxes)

Introduction

This article aims to walk you through Pwned1 box, produced by Ajs Walker and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is an easy and fun box. Hope you enjoy reading the walkthrough!

Reconnaissance

Since we are already provided with IP address of the box, we will scan it via Nmap.

Scanning

We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.

nmap -p- 192.168.x.x

After waiting for a while, we have got our results as shown below:

Nmap Port Scanning

To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.

nmap -p 21,22,80 192.168.x.x -sV -sC

In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as port 21 and 22 are not logical starting points because they do not provide us with a broad attack surface as an http server does.

Nmap Specified Port Scanning

Enumeration

First of all, we type IP address in our browser.

Port 80 Enumeration

We find it is just a webserver that reveals a note from an Attacker. So, let us check the source code and inspect the page further.

Checking Source Code of the Webserver

There is nothing different from the page itself.

We will inspect the webpage.

Inspecting the Body Code Comment of Webpage

We encounter a note embedded in the commented line of the body source code, but it does not reveal much. So, we will use gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And to make bruteforcing process fast, we will specify threads as 50 this time by -t argument.

gobuster dir -u http://192.168.x.x/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

Gobuster Directory Bruteforcing Results

We check the web directory and find that port 80 has two interesting directories. We look at /nothing directory first.

Directory Enumeration

There is nothing.html and we check it as well.

Directory Enumeration

As we find nothing, now we will check the other directory that is /hidden_txt.

Directory Enumeration

There is a file named secret.dic and we click on it to open.

Directory Enumeration

We come across a number of directory names, but just one of them is available that is /pwned.vuln.

Directory Enumeration

We have a login form, but trying common credentials like admin:admin, root:root, etc. gives no results.

There is nothing in the source code as well, but when we look at the body of the source code through inspecting the page, we see that FTP credentials are noted in.

FTP Credentials Noted in Body Source Code

Exploitation

Now we will use these credentials to log into FTP server found during nmap port scaning.

ftp 192.168.x.x

FTP Login

We successfuly log into FTP server. We will enumerate FTP directories and sub-folders.

FTP Enumeration

There is a directory on FTP server called share and it includes a note and SSH private key id_rsa.

We download files to read the note and use SSH private key.

FTP File Download

We see that note.txt reveals a username Ariana, and we will try to connect to the box using this username and SSH private key after changing permissions of the file.

Note.txt Reading

Changing permissions of id_rsa and connecting SSH server.

ssh -i id_rsa ariana@192.168.x.x

SSH Server Connection

Now we have a low shell on the target box and get our first hash.

Getting Hash for Low Shell

Now, we will try to escalate our privilege to have full authority on the box.

Privilege Escalation

Privilege Escalation of this box was intermediate, there are some initial enumeration steps for privilege escalation after getting low shell, and the first one tried on this box, which was checking sudo permissions for the current user by typing sudo -l on the terminal, was the first step for privilege escalation.

Enumeration for Privilege Escalation

We see that we can execute a script called messenger.sh as user Selena. Let’s see the code if we can manipulate the script.

Code of Messenger.sh

The line towards the end of the code $msg 2> /dev/null indicates that we can manipulate the user input asked during script execution, so we will insert /bin/bash in order to get a shell as the user we execute the script. Lets’s start the script by following command:

sudo -u selena /home/messenger.sh

It asks for input to send messages to one of the listed users. So, we want to send /bin/bash command as a message to selena, and we are now on Selena’s teminal.

Messenger.sh Execution and Getting Shell as Another User on the Box

To have a stable shell, we will use python3 (since python2 is not installed on the system) to get a TTY shell, then read selena-personal.diary file.

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Getting TTY shell and Reading Selena-personal.diary

We will check our id to see if we are in a group that has privileges on the box.

Checking id

The user Selena is in the docker group, so we will check docker images available on the box, and try to execute commands to escalate our privilege to root level.

docker images

Docker Images

We see that there are three images listed, and start to execute the following command in order to get root shell.

docker run -v /:/mnt — rm -it alpine chroot /mnt sh

Docker Command Execution through Docker Images

We try debian image first, but it is unavailable on the system and could not be found locally. So, we try alpine image, and it escalates our privilege to root and lets us to get a root shell on the system.

Now we have full authority on the box. Enjoy!

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store