InfoSec Prep: OSCP Vulnhub

The box was intended to be made as a giveaway for OSCP voucher where we submit the flag of the box in the discord server to the TryHarder bot

So lets get started

Running netdiscover on my subnet, I get the IP of the box

Running NMAP against the target, we see it has 3 Open Ports for SSH , Web and MySQL respectively

Moving onto the Web Part directly

Running the IP in the browser, we see

We have a Wordpress website upon which I ran wpscan to scan for wordpress vulnerabilities, but no luck there

Running GoBuster scan against the web, we got several entries

We see we have robots.txt and another one being secret.txt

Checking the robots.txt file, we see that it has disallowed secret.txt file, so checking the file in the web

We see that it has a base64 encoded string, so we copy it and save it to a file and then decode it

After decoding it, we see its a private openssh key file, but we don't know the user already

If you noticed on the blog, it is mentioned there that there is only one user on the box named “oscp”, so now we connect to that user through SSH after giving the 600 permissions to the SSH key

We got connected and now time for privilege escalation

Running linpeas.sh, we see we have a SUID bit enabled on bash but on a different location, so we will abuse it to get our privileges high

As we can see that we used the command to get root and we got the flag

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store