Today we will work on OSCP, an easy-rated box from Vulnhub.com. First, we scan with nmap.
We notice a few interesting things from our scans. First, it appears we have a Wordpress website. Robots.txt and secret.txt will be good pages to check. We also see mysql, which makes sense for Wordpress. Next, we browse the site.
The site mentions that user “oscp” is the only user on the box. This is also great info. Moving on to secret.txt, it looks like we have base64 encoding. We save the file to our machine and decode it.
Sweet, now we have a user and potentially their ssh private key! Let’s try logging on with ssh. Save that private key to a file and set the permissions to 600. I called my file oscp-user.
Now that we have a shell, we start looking into privesc. My initial checklist didn’t yield anything interesting so I ran my favorite privesc script, linpeas.sh. What is your favorite? Or do you do your privesc checks manually? After some dead ends, linpeas showed me in highlighted yellow that the SUID bit was set on the “/usr/bin/bash binary”, which should let us launch a shell with root privileges. As always with SUID files, consult https://gtfobins.github.io/ for the privesc instructions.
We got the root flag! Thanks for reading!
