This is the Five86:1 Vulnhub tutorial. What is my take on the box? It is a first of a series which is great, because you get to see the individual take of the author on hacking boxes.
The box is a great Linux privilege escalation drill and a very realistic scenario that one could easily find in a situation such as on the OSCP exam.
Table of Contents
Here’s What You Need
- Five86:1 – VirtualBox
- Kali Linux VM – VirtualBox
Recon
Start off with an nmap scan of the target which I found by doing a scan of the whole subnet and looked for interesting ports being open.
The next step is do some web enumeration as the target has the TCP 80 port open.
For the web enumeration this box makes it pretty easy it has one given endpoint named /ona so let’s take a look.
Exploit OpenNetAdmin v 18.1.1
This version of OpenNetAdmin, 18.1.1 is vulnerable and there is a Metasploit exploit available but you must download it.
To add a new module to the available Metasploit exploits you copy it to the location of the others and then restart the msfdb file.
msfdb init
service postgresql start
search ona
# Get the exploit and save it msf modules to use it
cp Downloads/47772.rb /usr/share/metasploit-framework/modules/exploits/ona.rb
msfdb reinit
service postgresql restart
use exploit/onaUse metasploit to execute the exploit and get a meterpreter shell back.
Once I have a shell the first task is to upgrade the shell by importing the Python TTY Teletypewriter module to spawn a new bash process with better control.
python -c 'import pty;pty.spawn("/bin/bash")'Linux Privilege Escalation
My current user is www-data which is typical for web server processes running on a server.
The good news is there are automated Linux enumeration tools out there and one of them is LinEnum.sh which I upload to the target and execute it in a writable folder location.
The output of the script shows there is a password hash in the .htpasswd file.
To follow the message given here there is one tool we can use to create all the permutations of the six characters.
John cracks the password quickly I was surprised at how fast it worked actually.
Now that I have the password for the user douglas I change to the user and begin my enumeration all over again.
If you look at the output of the sudo -l command for douglas you see the user has the sudo privilege to run the /bin/cp binary as the user jen.
Basically there are options but let’s exploit the /bin/cp binary by using it to login to the target as the jen user.
douglas@five86-1:/home$ sudo -l
sudo -l
Matching Defaults entries for douglas on five86-1:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User douglas may run the following commands on five86-1:
(jen) NOPASSWD: /bin/cp
The first step is create a new SSH keypair. Don’t provide a keyphrase just hit enter twice.
By default the SSH keypairs are stored in the ./ssh folder and those files are the public key and private key files. Together they make up a keypair used to connect to SSH destination hosts.
Checking the user jen’s new mail I see there is a password in cleartext. The password is given as another user moss’s password.
Now I login as moss and use the password. Doing some more Linux privilege escalation I see the user can run the SUID file /home/moss/.games/upyourgame with sudo privileges.
Does “up your game” which could mean “escalate to root”?
There is the root flag and that wraps up the Five86 Vulnhub tutorial for the first of the series. I cover the next box in another post!