PG — Pwned1— Walkthrough (Offensive Security Proving Grounds Play Boxes)
Introduction
This article aims to walk you through Pwned1 box, produced by Ajs Walker and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is an easy and fun box. Hope you enjoy reading the walkthrough!
Reconnaissance
Since we are already provided with IP address of the box, we will scan it via Nmap.
Scanning
We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.
nmap -p- 192.168.x.x
After waiting for a while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 21,22,80 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as port 21 and 22 are not logical starting points because they do not provide us with a broad attack surface as an http server does.
Enumeration
First of all, we type IP address in our browser.
We find it is just a webserver that reveals a note from an Attacker. So, let us check the source code and inspect the page further.
There is nothing different from the page itself.
We will inspect the webpage.
We encounter a note embedded in the commented line of the body source code, but it does not reveal much. So, we will use gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And to make bruteforcing process fast, we will specify threads as 50 this time by -t argument.
gobuster dir -u http://192.168.x.x/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
We check the web directory and find that port 80 has two interesting directories. We look at /nothing directory first.
There is nothing.html and we check it as well.
As we find nothing, now we will check the other directory that is /hidden_txt.
There is a file named secret.dic and we click on it to open.
We come across a number of directory names, but just one of them is available that is /pwned.vuln.
We have a login form, but trying common credentials like admin:admin, root:root, etc. gives no results.
There is nothing in the source code as well, but when we look at the body of the source code through inspecting the page, we see that FTP credentials are noted in.
Exploitation
Now we will use these credentials to log into FTP server found during nmap port scaning.
ftp 192.168.x.x
We successfuly log into FTP server. We will enumerate FTP directories and sub-folders.
There is a directory on FTP server called share and it includes a note and SSH private key id_rsa.
We download files to read the note and use SSH private key.
We see that note.txt reveals a username Ariana, and we will try to connect to the box using this username and SSH private key after changing permissions of the file.
Changing permissions of id_rsa and connecting SSH server.
ssh -i id_rsa ariana@192.168.x.x
Now we have a low shell on the target box and get our first hash.
Now, we will try to escalate our privilege to have full authority on the box.
Privilege Escalation
Privilege Escalation of this box was intermediate, there are some initial enumeration steps for privilege escalation after getting low shell, and the first one tried on this box, which was checking sudo permissions for the current user by typing sudo -l on the terminal, was the first step for privilege escalation.
We see that we can execute a script called messenger.sh as user Selena. Let’s see the code if we can manipulate the script.
The line towards the end of the code $msg 2> /dev/null indicates that we can manipulate the user input asked during script execution, so we will insert /bin/bash in order to get a shell as the user we execute the script. Lets’s start the script by following command:
sudo -u selena /home/messenger.sh
It asks for input to send messages to one of the listed users. So, we want to send /bin/bash command as a message to selena, and we are now on Selena’s teminal.
To have a stable shell, we will use python3 (since python2 is not installed on the system) to get a TTY shell, then read selena-personal.diary file.
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
We will check our id to see if we are in a group that has privileges on the box.
The user Selena is in the docker group, so we will check docker images available on the box, and try to execute commands to escalate our privilege to root level.
docker images
We see that there are three images listed, and start to execute the following command in order to get root shell.
docker run -v /:/mnt — rm -it alpine chroot /mnt sh
We try debian image first, but it is unavailable on the system and could not be found locally. So, we try alpine image, and it escalates our privilege to root and lets us to get a root shell on the system.
Now we have full authority on the box. Enjoy!
