OSCP Preparation [JOY]

j1gs@w
6 min readJul 24, 2023

--

It’s been a while since I have done a write-up and I am happy to say I’m back with one! This is the 5th machine I’ve done for my OSCP preparation so let’s get started! Also, I have a few more write-ups in the bank so I’ll get to it ASAP uwu.

The first step is to find out what is our target machine’s IP address. We can do that by doing a host scan on our network.

sudo nmap -sn -oN nmap_discovery 192.168.110.0/24

Knowing 192.168.110.133 is our attacker machine’s IP address, we can identify that 192.168.110.139 is our target. Once our target has been identified, we can now perform port scanning on our target with the following:

sudo nmap -sC -sV -Pn -p- 192.168.110.139 -oN nmap_port_scan
  • -sC : Load default nmap scripts
  • -sV : Version scan
  • -Pn : Assume all hosts are up
  • -p- : Scans for all 65535 ports
  • -oN : Outputs file in normal format

The results of the port scan reveal that these services are being hosted on the target:

  • FTP
  • SSH
  • SMB
  • a Web Server
  • STMP

With FTP, let’s try to see whether it allows anonymous logins

And it does! Listing the file directory we can see a download folder and an upload folder.

The download folder does not contain anything useful. However, the upload directory has a file which contains the directory listing of a user.

Okay, breaking the fourth wall a bit, I actually have done this box before and this is the second time I’m doing it so I kinda know where to proceed.

At this point, I was stuck so I gave up on the FTP server route for initial foothold and took a look at the web server.

With a web server available, directory brute forcing would be our next step. I used gobuster to get the directories on the web server

gobuster dir -u http://192.168.110.139 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.js,.css,.txt -t 100 -o directory_brute

dir : Uses gobuster for directory brute forcing

-u : The target’s URL

-w : The wordlist used to enumerate the web server’s directories

-x : Extensions added to the end of every word within the wordlist

-t : Threads used

-o : The output file

But I found nothing.

However, having the version of OSSEC, let’s check for any available exploits on ExploitDB with the searchsploit command.

Note:

-x : Examines the exploit file

-m : Copies the exploit file into the current directory

Also, again I found nothing.

So, now the last resort was to do brute-forcing. Knowing that there is a user named patrick let’s brute-force the pop3 service. However, again, that was not possible.

Remember how I said I did this box before? Well, a bit of Google searching eventually got me the answer on the second try lol

In our nmap scan, we have the version of the FTP server being hosted. Doing some Google searching on how to exploit FTP servers, I found a very unique capability on ProFTPD 1.3.5.

https://notes.defendergb.org/pentesting/ftp-21

If the vulnerability is present on 1.3.5, it could be present on 1.2.10. So let’s try going that route.

Looking at the directory listing earlier, the version_control file looks interesting. Using nc to connect to the FTP server, we can use the following commands.

SITE CPFR : Allows us to target a file on the target system to be copied

SITE CPTO : Allows us to select a destination for the selected file

Note: The default directory for FTP files are in /home/ftp

Doing that allows us to read the contents of version_control

Reading the file tells us the version of the services being hosted on the target as well as the root directory for the web server is /var/www/tryharderisjoy

Having the actual version of ProFTPd, let’s check for any available exploits on ExploitDB with the searchsploit command.

And there are available exploits available for initial foothold!

From here on out, I was tinkering with the 2 exploits that do not require Metasploit. It took a long time but I managed to get it running, thanks to t0kx’s exploit. (Which was not present in searchsploit)

However, reading the scripts available over and over. I think I have the responsibility to explain what all the scripts do.

Basically, as we are able to copy files across the system with ProFTPd, we can also create a web shell and copy it to the root of the web directory. That is the reason why the root directory of the web server is given.

With that, we are able to create a web shell!

Now that we have remote code execution (RCE), let’s find a reverse shell on PayloadsAllTheThings and let’s listen on port 4444

nc -lvnp 4444

This python reverse shell seems to work!

Let’s upgrade our shell to make it more interactive with python3

python3 -c 'import pty;pty.spawn("/bin/bash")'

Enumerating through the web server’s directory, the credentials for patrick was found.

With that, we can switch to the user patrick

With our current user, let’s see whether we have sudo capabilities with:

sudo -l

We can see that patrick can run the script test

The script basically allows users to change the permissions of files and directories within the current directory. However, using directory traversal, we can change the root folder to have read and write permissions

Doing so gives us the flag!

So with that said, I really liked this box because it introduced me to a new vulnerability within ProFTPd servers. Even though I kinda knew how to get into the box, doing the box the second time taught me that enumeration is key through Uncle Google (Yes imma call Google that).

--

--