Infosec OSCP Prep Walkthrough

Introduction

Today we're doing a boot2root walkthrough of the Infosec Prep: OSCP machine, created by FalconSpy, and hosted at https://www.vulnhub.com/entry/infosec-prep-oscp,508/ .

For this pentest walkthrough, we'll be using two virtual machines, a Kali Linux machine as our attacking system, and the Infosec machine as the target system.

Locating the Target

The target system is very convenient, in that the IP address it is assigned by DHCP is displayed at the login screen.


We can clearly see that our target is at 10.0.2.17.

Scanning and Enumeration

We'll kick off our scans by figuring out which ports are open with nmap.


Three TCP ports are open.  We'll plug those into nmap again and get more details from the next scan.


One finding stands out here: there's a blacklisted entry in the robots.txt file that points to secrets.txt.  When we navigate to the target's website, first we see a bunch of information about the contest that was originally being run when this machine was released, but we also see this:


Which is some really important info for this system, but then we navigate to secrets.txt, which shows us:


I had a hunch that this long string was Base64-encoded, so I copied it and plugged it into a Base64 decoding website, which produced the following:


So the string was actually an SSH private key.  We can copy the contents of the private key and create a txt file that we can use to login to the target machine using SSH.  In our case, we use nano to create the file.  Don't forget to run chmod 600 on the SSH key file, otherwise we won't be able to use it.


Now, with both a username and an SSH private key, we can use SSH to remotely login to the target system.


Finding the Flag

After logging in, we confirm that we're the oscp user, and looking at our home directory, we see there's a file called ip, so we cat it out and see that it's a script file which copies a file, issue-standard, and rename it issue, then runs another script called get-ip-address, and adds the results of that script to the issue file.

We'll also cat out the issue, issue-standard, and get-ip-address files to see what's going on there.


If we work from top to bottom, issue-standard is a template file that replaces issue, then get-ip-address populates issue with the target system's current IP address.  This is probably the script that gets the IP info to display at the login screen of the target system.  Let's try running the script.


So we can run the script, but it doesn't resolve properly because the oscp user doesn't have write permissions in the /etc/ directory.  If this script is run every time the system starts in order to have the target's IP address display, it should be referenced in the /etc/systemd/ directory, so we'll grep to see if we're correct.


So the ip script is part of a startup script in the /etc/systemd/ directory, so ip will be run each time the system boots up.  If that's the case, we can replace the ip script with one that gives the flag.txt file, which the documentation for this system indicates is located in the /root/ directory.

First, we'll rename the existing ip file by running mv ip ip.old, then we'll go into nano to write a new ip script, like so:


We should run chmod +x ip so that the script can execute properly.  The next time we login after the the system reboots, the ip script should copy the flag.txt file to the oscp user's home directory.  So we log out, reboot the target machine, log back in, and...


We got the flag!  Now to cat it out, and we'll be done.


Summary

After initial scans, we saw that the system webserver's robots.txt file pointed us at a long, encrypted string that turned out to be a private SSH key.  That, along with a username we obtained from the webserver's homepage allowed us to login to the target system using SSH.  Once in, we found a script  in the user's home directory that runs each time the system is booted up.  We substituted our own script in its place, which allowed us to copy the system's flag file to our home directory, where we could read it.

Finish













Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more