InfoSec Prep: OSCP Vulnhub
The box was intended to be made as a giveaway for OSCP voucher where we submit the flag of the box in the discord server to the TryHarder bot
So lets get started
Enumeration
Running netdiscover on my subnet, I get the IP of the box
Running NMAP against the target, we see it has 3 Open Ports for SSH , Web and MySQL respectively
Moving onto the Web Part directly
Web
Running the IP in the browser, we see
We have a Wordpress website upon which I ran wpscan to scan for wordpress vulnerabilities, but no luck there
Running GoBuster scan against the web, we got several entries
We see we have robots.txt and another one being secret.txt
Checking the robots.txt file, we see that it has disallowed secret.txt file, so checking the file in the web
We see that it has a base64 encoded string, so we copy it and save it to a file and then decode it
After decoding it, we see its a private openssh key file, but we don't know the user already
If you noticed on the blog, it is mentioned there that there is only one user on the box named “oscp”, so now we connect to that user through SSH after giving the 600 permissions to the SSH key
We got connected and now time for privilege escalation
Privilege Escalation
Running linpeas.sh, we see we have a SUID bit enabled on bash but on a different location, so we will abuse it to get our privileges high
As we can see that we used the command to get root and we got the flag