OSCP Walkthrough: VulnHub

Today we will be looking at a machine that has been hosted on quite a few different sites, OSCP. This is an easier / beginner friendly machine.

Hopping right in we start off with an NMAP scan. We can see that port 22 SSH, port 80 HTTP and lastly 33060 which on this box is MySQL.

Looking more deeply into port 80 we see the following:

Lets take a closer look at robots.txt

Looks like they don’t want us to know about a secret.txt.

Above we can see something that is in base64, it seems like it will most likely be a private SSH key.

Lets copy it, decode it and see what it is all about:

Now we can copy what we have de-encoded into a text file, use your favorite text editor and copy and paste the output.

We do not know a user name yet, we can take a guess and just say it is OSCP and see if we can get anywhere with that, also notice I did a chmod 600 on the id_rsa file, this is because we cannot have too many permissions on the file or we will be asked for a password / passphrase:

I always like to do a quick SUID lookup whenever I first get into a user, and also a sudo -l, you never know what you will find. SUID bits shows us that we can run /usr/bin/bash. Let’s head over to GTFO bins and see what we can do with that and if we can escalate privs or not. To run a SUID lookup we can use the following command:

find / -perm -u=s -type f 2>/dev/null

Heading over to GTFO bins we see that we can escalate privs if bash has a SUID bit set https://gtfobins.github.io/gtfobins/bash/#suid:

We are now in the root group, we can head over to the root folder and read flag.txt

Hopefully you enjoyed this walkthrough and thanks for reading.