On July 10th, the Infosec prep discord server announced they would be holding a giveaway for an OSCP voucher as well as access to the PWK with 30-day lab time. On July 17th, additional prizes were added, including vouchers to Tib3rius' Linux and Windows privilege escalation courses. Furthermore, with a machine guarding entry to opting in for the giveaway, it wasn't that simple. Except, it actually was.
In order to enter the giveaway, you had to pwn root on a given Vulnhub Linux machine, steal a flag file and submit it to a discord bot. Courtesies of @0xFalconSpy and @JBl4nks allowed this machine to be stunningly easy and fair to skids, providing that they submit the flag before July 7th. However, it was good practice and fun nonetheless.
As with any machine, this one started with an nmap scan.
I was surprised to find something this quick, it went to show how nice and easy this box was, it acted as a content break from harder machines. (Or at least hard to me) The nmap -sC flag returned some interesting results. The script picked up an entry in the robots.txt file that looked rather interesting. If you're not familiar with robots.txt (which I'm sure you are, but just in case) it is a file allocated to webservers. This file contains information for web-crawlers including allowed user-agents and disallowed entries (stuff a crawler shouldn't index). It is always a good idea to check robots.txt as it contains directories the developer does not want to appear on search engines. If you want to try it out, go to https://elbee.xyz/robots.txt. There might not be anything to jaw-dropping in this case, but sometimes there is! Back to the task at hand, let's go to the webserver and have a peek at /secret.txt.
Very interesting.. here we see a base-64 encoded file. If you couldn't tell that by looking at it, it's ok, it just comes with time. Let's save the file and decode it.
Bingo! It is an SSH key. We know OpenSSH is running from our earlier scan. We can use this key to authenticate via ssh and gain a shell! Let's try it out.
Hmm, invalid permissions on the file. Let's change the permissions using the chmod command. https://en.wikipedia.org/wiki/Chmod
Now lets try again.
It worked! We have a shell! However, still not root. Lets escalate. If you are unfamiliar with privesc, you can download my personal linux privesc checklist from https://github.com/elbee-cyber/privesc-checklist/blob/master/privescCheckList. It seems we are able to use nano from this shell, so let's install Linenum.sh and run it.
Lot's of interesting stuff comes back, but two things catch my eye particularly. One being the fact that bash has an SUID bit set. This means we can run the file with the permissions of the owner. (root) The other interesting find is the lxd group. First, lets take a look on GTFO bins to see if there is a way to privesc using an SUID set bash binary.
Well, that's easy. Let's go ahead and do just that.
We have root! but it's not over, there are 3 other unintended ways to privesc, can you find them all? (hint: remember the group?)