Hacking, Cybersecurity, Privilege Escalation
OffSec — InfosecPrep Walkthrough
A walkthrough with my tactics, techniques, and procedures.
Reconnaissance/Scanning:
Let’s start things off with a network scan to see which ports are open and the services running on each.
$ nmap -A -O -sC -sV -p- <machine_IP>
Vulnerability assessment:
There’s a robots text file shows another text file that’s available, secret.txt.
A base64 encoded text file.
Copy and pasted the text in a file on my local machine and decoded with base64:
$ base64 -d code.txt > decoded.txtTurns out to be a SSH private key!
Upon visiting the webpage the machine is hosting, there’s a blog entry that tells me the only user on the box!
That means it’s time to get a SSH session!
$ ssh oscp@<machine_IP> -i rsa.txt
Here are the files in the user’s home directory.
Here are the contents of the ip file:
The text file local.txt gives the user flag.
Exploit:
I checked the cronjobs, no luck.
My next step was to see what types of files I could run with higher privileges with the SUID bit set.
$ find / -perm -u=s -type f 2>/dev/null
Looks like user oscp can run the bash binary with higher privileges, perfect!
I went to gtfobins[.]net to look up a quick command to use to exploit that binary.
$ /usr/bin/bash -pNow that I escalated my privileges to root, I’ll grab the root flag.
Reporting:
Be sure to not have files accessible to the internet that contain private information.
Use a strong encoding method or multiple encoding methods to hide contents.
Have all SSH private keys passphrase protected.
Note from Publication: This story was uploaded at the permission of user “xocybersec” on 1/19/24. Please direct any feedback, comments, or citations to the original writer! Thank you — Infosec WatchTower
© [2024] Infosec WatchTower. All rights reserved. Unauthorized use or reproduction of content is prohibited. For inquiries, contact Infosec WatchTower.
