PG: Infosecprep

Mar 20, 2022 · 2 min read · Proving Grounds OffSec Writeup Study Linux  ·
Share on:

Proving Grounds - InfosecPrep

Scanning & Enumeration

As always we start by scanning for open ports: rustscan Two ports come back as open:

  • Port 22: running OpenSSH 8.2p1
  • Port 80: running Apache 2.4.41

We also see a secret.txt file in the disallowed list from robots.txt Reading the website we discover that the only user on this machine is called: oscp The secret.txt looks like a base64 encoded file:

Decoding reveals it is a SSH Private key

Gaining Access ("Exploitation")

Let's save it as id_rsa and set the permissions to 600. We can now try to connect as oscp over SSH:

Now that we have a foothold we can start with Privesc. Start a simple httpserver on your local machine to host linpeas.sh and transfer it: Local machine: python3 -m http.server 80

Privilege Escalation

chmod +x linpeas.sh and run it.

The interesting Attack Vectors will be marked in Red/Yellow

CVE-2021-4034: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 I will try this one when I find the time, but it looks vulnerable. However I am not sure this CVE existed when the infosecprep was released.

Next we find this in the linpeas output

/bin/bash with sticky bits seems really interesting and easy to exploit. /bin/bash -p will run /bin/bash and preserve the permissions set on it. Meaning we can spawn a bash shell with root privileges

Recommended Mitigations

  • Never expose passwords and private keys even if they are encoded
  • Be warry about using Suid/Guid bits