This virtual machine I found on Vulnhub – InfoSec Prep: OSCP is an OSCP type virtual machine. It is a boot2root machine that also finds all the flags as well. The machine was originally designed in partnership with Offensive Security. Anyone who could achieve root on the VM would have a 30-day voucher to the OSCP Lab, Lab materials, and an exam attempt. As I found the machine post with the deadline for the giveaway, I had to try it.
As we boot up the machine, we are greeted with a black screen displaying an IP address on it.
As the IP is already present, we directly perform a Nmap scan to find the open ports and services.
We get SSH and an HTTP service running on their default ports. We also find an MYSQL service running on port 33060. We proceed further to examine the HTTP service and get information from Nmap about the “robots.txt” file containing 1 disallowed entry to a “secret.txt” page.
We open the default page and look around for clues. After looking around, we proceed directly to the /robots.txt page and find the disallowed entry “secret.txt” page.
The “secret.txt” page displays a string of random text on the webpage. However, looking at the bottom of the page we find “==” (equal to) sign. A tell-tale sign, which means the text is a Base64 encoded string.
After a quick decode of the message, we find it as an OpenSSH private key. We save the key in a text file for now. We also test other things like performing a Dirb (directory listing) and a Nikto (vulnerability scanner) scan of the server.
We conduct a Nikto scan but end up not getting many results. We get some WordPress related results. However, we know from browsing the site that this is a WordPress based site.
We visit the WordPress site and check the information from the Nikto scan. Directory listing was also done on the machine. However, we kept it as a potential path we could follow later on if required. However, we did not require it as you will find it later.
The version of WordPress used, maybe we could find a vulnerability in the WordPress version and exploit it to have a further foothold in the system.
While the Dirb scan is running in the background, we continue researching and going back looking at the information and the pieces of evidence we have gathered till now. We take a step back and recheck things from the beginning, it can help us find missing details or things we have overlooked and later piece all the information we have back together.
We missed a key detail by not reading the post on the website. It mentions the user account of the box “oscp”. A detail we missed by not reading the website. In a real-world Penetration Testing, this would be crucial and careless. Tracking back not only wastes time, but also the effort of redoing certain tasks again. Hence, Reconnaissance and Enumeration are the key stages of Penetration Testing. The more effort put into the above two phases, the more it makes it easy to go further and can open different paths to the machine. Moving ahead, we already have an SSH key and a username. We will now try and check whether we can SSH into the box using the given key matches with the user account.
We save the key with Nano, a text editor in Linux. Pasting the copied key into the editor and saving it. After exiting the text editor, we proceed to change the permission of the key for using it to SSH.
After we alter the permission, we successfully log in to the user “oscp”. Now we start enumerating the machine to try and find anything we can to escalate our privilege with. After a long time enumerating like reading configurations files, system files, system processes running. I later moved to break out the shell I was in.
Trying a few commands especially the “/bin/bash -p” leads to breaking out of the oscp user shell to the root user. The above shows the bash arguments “-p” which turn on the privileged mode.
Later, once we achieved root on the machine. I looked at the flag in the /root folder.
Finally, the root flag. It was a simple boot2root machine. However, I did find interesting things on the machine. Like, Mysql username and password in the WordPress configuration files.
Though we have completed our objective, it was a simple and easy machine for OSCP introduction.