<Introduction>
In this blog post, I documented my walkthrough of the OffSec PG OnSystemShellDredd vulnerable host. I documented my steps taken pertaining to reconnaissance through post-exploitation. This will included performing port scanning, service enumeration, web fuzzing, OS command injection, and privilege escalation.
If you find this content informative and you are interested in cybersecurity, please like and subscribe to the Cyb3r-0verwatch channel. Also for more free content please regularly check back on Cyb3r-S3c.
<OVERVIEW>
OnSystemShellDredd is a vulnerable host created to allow users to practice ethical hacking techniques. This virtual machine is accessible from the OffSec Proving Grounds virtual training lab.
If I were to evaluate OnSystemShellDredd as a real production host then it would be suffering from a variety of security misconfigurations rather than a host affected by exploitable vulnerable code. A lot of the weaknesses in this host can be easily aligned with the OWASP Top 10, such as Security Misconfiguration, Broken Access Control, and Identification and Authentication Failures.
<Enumerating What is Running>
I went ahead and started my target host OnSystemShellDredd. As shown in the image above target host had an IP. The first thing I needed to do was perform information gathering, including port scans and service enumeration.
nmap -sS -A -T4 -vv 192.168.171.130 -oA /home/kali/Downloads/nmapscanFor active information gathering I am using nmap on the target host. I ran the following command shown in the cli. In general, since I was trying to figure out what ports were open I first wanted to scan all 65,535 ports using the -p- switch. Just in case a service is listening on a non-standard port.
<Analyzing the Nmap Results>
When I looked at the nmap scan results I could see that nmap detected two open ports, port 21 (FTP) and port 61000 (SSH).
As I analyzed the results of the nmap scan, going off of previous experience deduced that OnSystemShellDredd was a linux host. This is also based on vsftpd and ssh services running. Unfortunately, nmap was unable to detect the OS type. Since there was currently not much to work with, I focused port 21 first.
<VSFTPD Recon>
The first thing I noticed even before testing port 21 is that nmap has detected the service running as vsftpd v3.0.3. Nmap also noted that anonymous login is allowed.
ftp 192.168.171.130I’ll ran the following command shown in the cli.
When I ran the command I got the vsftpd v3.0.3 banner which confirms what nmap detected.
I got prompted to enter a username, I entered anonymous. I got prompted to enter a password, I pressed enter. I got a 203 response indicating that login was successful. Again this confirmed that nmap detected that anonymous login was allowed.
At the prompt I type “help” to get an idea of what commands are available.
I can see that there is an “ls” command, so I run the “ls -la” command to see what's in the directory. After running the command, I noticed that there is a hidden directory called .hannah. Any time you see a folder or file with a “period” in front, that is usually an indication that it is a hidden folder or file. In general, hidden files usually contain settings or data that is accessed by a program. Hidden folders will usually contain files belonging to programs. Hidden folders and files are typically not intended to be modified by users. This is the reason they are normally hidden.
Since this is the only folder of interest, I changed directory to the .hannah folder. I got a 250 response telling me I had successfully changed directories.
When I did an “ls -la” I could see an “id_rsa” file. Based on this, it looked as if this hidden folder was used to hold hannahs ssh private key. Id_rsa is the default name of the private key that is generated when running the ssh-keygen command.
<Data Exfiltration>
Since the id_rsa is used to authenticate, I downloaded the file to see if I can use it to login to the target host. Based on the information gathered so far, I am guessed that the username was hannah. I ran the get command to download the id_rsa file to kali, as shown in the image above. The transfer completed successfuly. This allowed me to review the file.
I exited out of the ftp server and ran the ls command. The output showed that the id_rsa file was downloaded successfully.
To verify that I had actually downloaded the files contents, I ran the cat command shown in the image above. As can be seen, it showed the private key information.
ssh -i id_rsa hannah@192.168.171.130 -p 61000I ran the following command shown in the image above. The -i stands for “identity file” and this is how I would point ssh to the id_rsa file. Then I add the username at the target IP and finally -p 61000 for the port number to complete the command.
When I hit enter, I got a promising output. I got prompted “Are you sure you want to continue connecting (yes/no/fingerprint)". I enter “yes” and it completed processing and spits out the target hosts CLI prompt.
<Capture the Flag>
Now that I got logged in as hannah, I ran the ls -la command to enumerate the current directory I dropped into. From the output I could see the local.txt file.
When I cat the local.txt file I got the first flag.
I submitted the local.txt hash in the Offsec PG console.
<Host Enumeration>
I changed the directory to the /tmp folder in order to upload linpeas.sh to the target host.
python -m http.server 8080On kali, I ran the http.server using the following command shown in the image above.
After starting my http server, I transferred over linpeas. I already had linpeas in my download folder. I ran the following command shown in the image above.
Once I hit enter it did not take long for linpeas was download successfully.
Now that linpeas was uploaded to the target host, I ran ls -la and I could see that linpeas was not executable.
chmod 777 linpeas.shI needed to run the change mod command to modify linpeas to be executable. I ran the following command shown in the image above.
Now that linpeas executable, I ran the following command shown in the image above. Very quickly linpeas was able to detect some programs containing the suid bit that could possibly be used for privilege escalation.
Now that I had that information, I reviewed GTFOBins to see what SUID commands are available. In general, GTFOBins contains a list of unix binaries that can be abused to bypass local security restrictions on misconfigured hosts. As noted on the page these are not exploits.
I did a search and found cpulimit suid. As shown in the image above GTFOBins provides shell, suid, and sudo options and a brief description on their use.
<Privilege Escalation>
I ran the following command shown in the image above. The -l set the cpu limit to 100. The -f ran the program in the foreground. The - - told the host OS to run another program, in this case it ran /bin/bash. The -p told the host OS to run /bin/bash without resetting the effective user ID.
Sure enough, the command worked and I was able to get root. I ran the whoami command to verify I was root.
<Capture the Flag - Part Duex>
Now that I was root, I navigated to the /root home folder and do an ls -la to enumerate the directory.
After doing an ls -la I could see the proof.txt containing the root flag. I ran cat on the file to retrieve the hash.
I submit the root flag and completed this host.
</CONCLUSION>
In conclusion, using a variety of techniques I was able to go from reconnaissance to gaining root privileges on the target host. Performing these steps allowed me to gather the information I needed in order to gain a foothold on the target host through the use of the ssh private key discovered on the ftp server. Upon gaining access, performing further enumeration allowed me to find a workable escalation path to root by abusing the suid bit, in order to gain the final flag.
Thank you for reading this post on the OffSec Proving Grounds OnSystemShellDredd vulnerable machine. If you find this content informative and you are interested in cybersecurity, please regularly check back on the Cyb3r-S3c website. For more free content, please like and subscribe to the Cyb3r-0verwatch channel. Until next time keep learning, the only way to improve is to keep learning.
/Signing Off,
Pragmat1c_0n3
Commentaires