Objective

Employ enumeration and web enumeration techniques to identify vulnerabilities. Engage in exploiting SQL injections and LFI, alongside implementing password cracking and brute-force attacks. Additionally, harness privilege escalation strategies and the abuse of sudo permissions to enhance your access. This lab is designed to capitalize on your skills in vulnerability exploitation.

Enumeration

Nmap

An initial Nmap scan revealed that the HTTP port was open, while the SSH port appeared to be filtered.

00 - nmap output

WEB Enumeration

While enumerating the website, I discovered that the search.php endpoint was vulnerable to SQL injection. Leveraging this flaw, I was able to exploit the vulnerability and dump the entire database using SQLMap.

01 - search php

02 - sqlmap

03 - user passwords

04 - admin table

After logging in as the admin user, I encountered a ‘File does not exist’ error message on the web page. This hinted at the presence of a file inclusion mechanism. I tested this by sending a GET request with a file parameter, which turned out to be vulnerable to Local File Inclusion (LFI). Exploiting this, I was able to read sensitive files from the server, including /etc/passwd.

06 - logged in as admin

07 - LFI read passwd

Exploitation

Port Knocking

While researching further, I came across the concept of port knocking — a technique used to dynamically open network ports by sending a specific sequence of connection attempts. Suspecting it might be in use, I leveraged the LFI vulnerability to read the knockd.conf file. As expected, it contained the knock sequence required to open the filtered SSH port.

08 - port knocking knockd conf

09 - opening SSH port

10 - SSH Open

After successfully opening the SSH port using the port knocking sequence, I attempted to brute-force SSH access using the username and password pairs previously extracted via SQL injection. Out of the available credentials, three were valid, allowing me to log in and gain shell access to the system.

11 - brute force

Once inside the system, I discovered several files containing plaintext passwords or password hints. Using this information, I continued brute-forcing and eventually identified an additional set of valid credentials. After switching to this newly discovered user with su, I was able to access and capture the user flag.

12 - inside

13 - local flag

Privilege Escalation

With the new user, I discovered a sudo NOPASSWD permission on a custom binary named test, which reads a file and writes its content to an output. This gave me an opportunity to escalate privileges.

I crafted a malicious sudoers file granting NOPASSWD: ALL privileges, then used the vulnerable test command to overwrite the system’s /etc/sudoers file with my crafted version. With this in place, I could run any command as root without a password.

Finally, I executed sudo bash -p to spawn a root shell and fully compromise the system.

14 - sudo l

15 - new sudoers

16 - got the root

<
Previous Post
Blogger - OffSec Proving Grounds
>
Next Post
Amaterasu - OffSec Proving Grounds