Happy New Year!
I had some time after the holiday's to work on a box in the Offensive Security Proving Grounds, costs about $20 per month and you get your own lab to practice. They provide a VPN to access the machines, it took me a minute to figure out, that in order to use your own Kali machine, you have to connect to the VPN first.
Once you're connected, you can start a machine and get to hacking. The style is similar to HackTheBox, except most boxes already have write-ups attached if you get stuck. I do like it, and it is affordable. Keep in mind all the machines except for 2, are on VulnHub, so if you can't afford the lab, you can still practice on the machines in your own homelab. I've actually downloaded all the machines, takes about 70Gb of space, but I have a 4Tb drive, on my desk, so I'm good.
The box I decided to work on was one of the boxes not available on VulnHub, Shakabrah, the machine is rated as Easy by Offsec, Intermediate by the community. I found the box to be rather easy, and I spent a bit of time messing around :)
To start I always write down my Kali IP, once connected to the VPN, followed by the target machine IP. If you can't find the target machine IP in another scenario, you can use Netdiscover, handy little tool.
From there I usually start with a nmap scan to see what's open on the target machine, I usually go with the same command, depending on the box.
sudo nmap -Pn -sS -A 192.168.133.86
22/tcp was open and port 80/tcp
From there I checked out the browser and found the box had an input field that would take a ping command.
The Web page contains a Connection Tester that accepts input parameters ping using any IP
So I started testing what I can do??
After a short while playing around and enumerating the box a bit with the output, I checked to see if I can access the local user account, and I could, so I just grabbed the user flag from there.
192.168.49.133 && cd ../../../home/dylan && cat local.txt
Next I checked the box to see if python3 is installed? it was so let's get a shell. I actually tried a few other reverse shells, until realizing python3 reverse shell was the way to go.
get a shell with python3?
I used one from PentestMonkey
Now that I got a shell on the box, I upgraded my shell with
python3 -c 'import os; os.system("/bin/bash")'
Then I checked for SUID binaries
find / -perm -4000 -type f 2>/dev/null
and I found vim.basic, so I checked GTFOBins for vim
/vim, one of the results.
Next I played around a bit with a few options, then settled on,
vim.basic -c ':py3 import os;os.setuid(0);os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
Popped myself a root shell, after hitting enter a bunch of times, then grabbed the root flag.
cat proof.txt 985e5307flag
Nice box, first box I've rooted in over 6 months, maybe a year lol, IDK, just wanted to have some fun while my son was sleeping, started the box around 1:30am and finished around 3:30am. I'm going to try and get back into the swing of things.
I have to try and stay on my journey to the OSCP, not that I need it, but one day I'd like to get it, just for my own clout. For the time being, I can't afford it, so I'll have to just keep popping boxes in my free time.
Thank you for reading. If you have any questions, please feel free to reach out to me on Twitter @ryd3v or on my Discord.