Home OffSec PG - Born2Root
Post
Cancel

OffSec PG - Born2Root

Enumeration

Machine IP → 192.168.225.49

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.225.49

OS Detection → os_info

PortServiceOther details (if any)
22SSHOpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
80HTTPApache httpd 2.4.10 ((Debian))
111RPCBINDrpcbind 2-4 (RPC #100000)
44532--

Web Scan

GoBuster scan → gobuster dir -u http://192.168.225.49 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Robots txt file has two directories →

  • wordpress-blog/
  • files/

Directories/files listed →

  • index.html
  • robots.txt
  • icons/
  • files/
  • manual/

Exploitation

The /icons/ directory has a .txt file which seems out of place amongst all the other image files. Upon inspection, it contained an RSA private key. Used this to login to the ssh server running on the machine. For ther user, the most obvious one is martin given the clear mentions throughout the website. Upon loggin in, the shell asks for a secret password. Entering something random just drops into the shell and gives the user flag.

The program that asked for the secret password was located at the end of the .bashrc in martin’s home directory. This was /var/tmp/login.py. Upon close inspection, the script has an error to always allow access into the shell. The script is as follows →

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/python

import os

print("")
print("READY TO ACCESS THE SECRET LAB ? ")
print("")
password = raw_input("secret password : ")

if (password) == "secretsec" or "secretlab" : # --> Always true
	print("WELCOME ! ")
else:
	print("GET OUT ! ")
	os.system("pkill -u 'martin'")

Privilege Escalation

Looking at the /etc/passwd file, the users of interest are root, martin, hadi and jimmy.

User 1

Looking at the crontab, there is a job by jimmy that runs every 5 minutes as python /tmp/sekurity.py. This file does not exist, therefore, can be created and subsequently executed. This can be used to receive a shell as jimmy over netcat. The home directory consists of a networker binary, which doesn’t seem to do anything concrete.

User 2

Cracking the password for hadi was taking too long, therefore a hack was used to grep out all passwords related to “hadi” from the rockyou.txt list. This sublist was also set on the cracking task in parallel, which found the password surprisingly quick, resulting in credentials hadi:hadi123.

Root

As the hadi user, running su root directly gives the root shell and thus the root flag.


This post is licensed under CC BY 4.0 by the author.