InfoSec Prep OSCP Challenge

On July 11, 2020, InfoSec Preparation Group on discord started a giveaway, but to enter it, one needed to solve a box, get the flag and then submit it to the bot to become eligible. This is my attempt at writing a report for the Box.
Discord Link for InfoSec Prep: https://discord.gg/BUjnWps

. . .

Setting up the Environment

Downloading the VM

Link: https://www.vulnhub.com/entry/infosec-prep-oscp,508/

  • MD5: B25476F6CE9CB78D573C3B05F4D7F111
  • SHA1: CA3FD5FEE9E9DBADE90332666EF54E359D9CBE8C

Importing the VM

On unzipping ‘oscp.zip’, we get oscp.ova. ‘.ova’ files can be directly imported into virtual box by double-clicking on the file.

Importing the VM
Importing the VM

I usually check up the settings before booting the VM, and we see that Invalid Settings were detected, we should change the graphics controller to remediate the situation.

Fixing Import Errors
Fixing Import Errors

Changing the Graphics controller to ‘VMSVGA’ worked for me

Network Settings: As usual ( Host-Only Adapter )

Everything looks good, let us boot the VM :D

Boot Screen
Boot Screen

Notice that we get the OS Version Information ( Ubuntu 20.04 ) and the IP (192.168.56.4). Hence our usual step of finding the IP Address isn’t needed and we can jump to Enumeration and Scanning.

. . .

Scanning & Enumeration

A simple all ports nmap scan using nmap -sV -A -p- $target gives us :

> nmap -sV -A -p- 192.168.56.4 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-20 23:22 IST
Nmap scan report for 192.168.56.4
Host is up (0.00020s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/secret.txt
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: OSCP Voucher – Just another WordPress site
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.80%I=7%D=7/20%Time=5F15D9FD%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.06 seconds
Possible Targets
Possible Targets

Version & Port Information

SSH
Version→ 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
Port→ 22
Comments→N.A.

HTTP
Apache httpd Version2.4.41
WordPress Version→5.4.2
Port→80
Comments →We see one disallowed entry, we should start from there :)

MYSQL
Version →Unknown
Port →33060
Comments →Usually MySQL services are run on 3306

. . .

Enumeration

HTTP Enumeration

Landing Page
Landing Page

Let us first see what is present at the secret location ‘/secret’, we saw it pop up in the scan and can verify by visiting the ‘/robots.txt’.

Contents of 'secret.txt'
Contents of 'secret.txt'

The double equals ( ‘==’ ) suggests that it might be base64 encoded, so we quickly copying the text and using echo <text> | base64 -d decode the text.

Decoded text →Openssh Private Key
Decoded text →Openssh Private Key

We see that the decoded text is an OpenSSH Private Key, we save it to openssh.key file.

We know that we can use this to ssh on the target machine using ssh -i openssh.key <user>@192.168.56.4 . So I randomly tried logging in using different user ids.

Logging into SSH using the private key
Logging into SSH using the private key

Maybe this was pure luck, but this is the proof:
I first tried with root, next with user, then I thought of using the box name i.e. oscp as the username, and bam! We see the permissions error, I quickly set the correct permissions for the private key, i.e. 600 and try to log in. And we’re in guys !

Shell with 'oscp' user privileges
Shell with 'oscp' user privileges

We need user password that we do not have to run sudo, seems like we are stuck here. Once we are in, we should try to explore more ..

For example, we did not know what SQL version was hosted on server

. . .

Privesc

Now that we know that we need to enumerate more, we can use ‘LinEnum.sh’, a script used to to enumerate the Linux machine on which we have a local shell, and are trying to get Privilege Escalation to.

Also, remember in the previous setting it was a guesswork about the username oscp. It seems that I had overlooked something that I should have noticed at first glance.

user oscp exists
user oscp exists

Okay, so once again we login on the machine, and try to enumerate.
LinEnum.sh Link : https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

we view it in raw mode, i.e. using this URL https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh or clicking on raw.

Copy this, and create a new script on the machine, ‘try.sh’ or any name should be fine. Change the permissions and run it. In the output there are lots of stuff, but the most interesting is:

Interesting group memberships
Interesting group memberships

There is a lot more info there, but in the interest of time and space, this particular entry was very juicy!

'/usr/bin/bash' with suid permissions
'/usr/bin/bash' with suid permissions

This bash binary is owned by root, and has setuid set, this means that we can run that command with an effective uid of root. I did not know about this. But what I did know was that having setuid bit set has some security issue. So I started googling, and this is what I found!

privesc vector
privesc vector

And we got root!

d73b04b0e696b0945283defa3eee4538

We now submit it to the TryHarder Bot!

Flag Submission
Flag Submission
. . .