This would be the 6th machine I’m doing for my OSCP Preparation and I gotta say it was pretty easy XD.
The first step is to find out what is our target machine’s IP address. We can do that by doing a host scan on our network.
sudo nmap -sn 192.168.110.0/24 -oN nmap_discovery
192.168.110.133 is our attacker machine’s IP address, we can identify that
192.168.110.144 is our target. Once our target has been identified, we can now perform port scanning on our target with the following:
sudo nmap -sC -sV -Pn -p- 192.168.110.144-oN nmap_port_scan
-sC: Load default nmap scripts
-sV: Version scan
-Pn: Assume all hosts are up
-p-: Scans for all 65535 ports
-oN: Outputs file in normal format
The results of the port scan reveal that these services are being hosted on the target:
- a Web Server
- a second Web Server
With a web server available, directory brute forcing would be our next step. I used
gobuster to get the directories on the web server
gobuster dir -u http://192.168.110.144 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.js,.css,.txt -t 100 -o directory_brute
dir : Uses
gobuster for directory brute forcing
-u : The target’s URL
-w : The wordlist used to enumerate the web server’s directories
-x : Extensions added to the end of every word within the wordlist
-t : Threads used
-o : The output file
For whatever reason, I could not enumerate the first web server so I moved on to the second web server.
From that, we got some interesting directories!
These directories caught my eye:
shell revealed nothing of use and I was too lazy to enumerate WordPress so I moved on to the
debug directory. Right there I found a debug shell (hence the directory name lol)
Having a shell here means we have remote code execution.
Now that we have remote code execution (RCE), let’s find a reverse shell on PayloadsAllTheThings and let’s listen on port
nc -lvnp 4444
OpenBSD netcatreverse shell seems to work!
Let’s upgrade our shell to make it more interactive with
python -c 'import pty;pty.spawn("/bin/bash")'
With our current user, let’s see whether we have
sudo capabilities with:
It seems that we can launch
/bin/bash as the user
brexit. Using the following command allows us to interact with the target through the user
sudo -u brexit /bin/bash
From there, we can access the home directory of
brexit and get the user flag.
From here we can use
linpeas.sh to automate the enumeration of the target to find privilege escalation vectors. First, I’ll setup a python server on my host on port 80:
python -m http.server 80
Then retrieve it from the victim with
wget in a writable directory
chmod +x linpeas.sh
linpeas.sh found that
/etc/passwd is writable!
/etc/passwd is writable, we can add a new root user into that file with our own password and log into it! So let’s generate our new password with
Then, edit the root entry to this
With that, append the entry to the target’s
Finally, switch to the user you have set and get the root flag!
In summary, this challenge is REALLY simple and it reminds me to do proper enumeration of the system as the target might not have only one instance of the service available. If you didn’t perform a proper enumeration then you might get a MISDIRECTION! XD