offsec

Pwned1 OffSec Walkthrough

INFOXIDE
4 Min Read
Pwned1 OffSec Walkthrough

Pwned1 OffSec Walkthrough: Today we are going to solve another boot2root challenge called “Pwned1”. It’s available at Vulnhub and OffSec Play for penetration testing. This is an easy level lab. Let’s get started and learn how to successfully break it down.

Contents
Penetration Testing MethodologyWalkthroughEnumerationExploiting (user “Ariana”)Privilege Escalation (user “Selena”)Privilege Escalation (root)

Level: Easy

Since these labs are available on the Vulnhub website so we will download the lab file from here.

Penetration Testing Methodology

Recognition

  • Netdiscover
  • Nmap

Enumeration

  • Gobuster

Exploiting

  • Obtaining SSH private key backup

Privilege Escalation

  • Abuse of sysadmin script.
  • Abuse of Docker Group privileges
  • Capture the flag

Walkthrough

Recognition

As always, we identify the host’s IP with the “Netdiscover” tool:

netdiscover
netdiscover

Now start by listing all the TCP ports with the help of Nmap.

nmap –sV -sC -P- 192.168.10.192
nmap scan

To work more comfortably, I’ll put the IP address in /etc/hosts.

etc hosts file

Enumeration

Now, we have entered the web service and found information about the hacker “Annlynn” in the body and commented lines of the source code.

hidden msg

We have used Gobuster with a medium directory dictionary, indicating the typical extensions.

gobuster

We will access the directory “/hidden_text” and will find a file named as “secret.dic“, this contains a directory listing.  

After checking with Gobuster, we saw that only the directory “/pwned.vuln” is available.

hidden_secret file

Exploiting (user “Ariana”)

We found an administration panel exposed, after trying the typical passwords to try to access and not succeed, we went to check the source code and found that there is a condition in PHP with some credentials. The user already gave us the clue for which service to use (FTP).

pwned vuln

We connect to the FTP service with the obtained credentials, we find an SSH private key for the user “Ariana” and a note.

ftp

Now we have changed the permissions to the file “id_rsa” and connect through SSH with the user “Ariana“. Once inside, we can read the first flag.

id_rsa

Privilege Escalation (user “Selena”)

We execute the command “sudo -l“, evidencing that we are able to execute a script called “messenger.sh” as the user “selena”. If we check the code, we can verify that it executes the information in “$msg 2> /dev/null“. Given this, we could insert a “/bin/bash” so that it raises a shell with the user we have previously indicated in the script.

sudo -l

We start the script…

We indicate the user “selena“, type “/bin/bash”… That’s right! We have obtained a shell with this user, we read the 2nd flag.

selena user

Privilege Escalation (root)

We type “id” and list that we belong to the group “Docker“, then we check the docker images that we have available and execute the command that will allow us to escalate privileges with a shell as root.  

Finally, we will read the flag.

docker run -v /:/mnt --rm -it privesc chroot /mnt sh
root flag

Finally this Lab Solve So See you on next lab 😉

Also Read | BTRSys2.1 OffSec Walkthrough

TAGGED:
Share This Article
Previous Article BTRSys2.1 OffSec Walkthrough BTRSys2.1 OffSec Walkthrough
Next Article DC4 OffSec Walkthrough DC4 OffSec Walkthrough
Infoxide Security Live Hacking Workshop
Infoxide Security Certifications
infoxide Security telegram channel

Trending News🔥