Tre — Offensive Security Machine Complete Write-up

OSCP Type intermediate machine

This is one of the official machine from Offensive Security Proving Grounds

So starting of by exporting IP as environment variable and starting out with scanning services and open ports and found

Target IP: 192.168.100.133

Okay, so we got SSH and two HTTP services running and After hoping over to port 80 and found nothing uncommon.

So the wfuzz useful results are shown:

wfuzz -c -z file,/opt/Seclists/big.txt — hc 404 $URL

Using admin:admin as a default creds was able to hop over to $URL/mantisbt

After bruteforcing $URL/mantisbt directory with wfuzz, we got

After reaching to $URL/config/a.txt. BOOM!! we got database creds, using this creds in http://192.168.100.133/adminer.php and yes! it was a successful login

Using SQL command select * from mantis_user_table; and WOW! we got credentials

So I tried with tre creds for ssh and was a correct login!!

Now all I need is to escalate my privileges to gain root access, After recon in the target machine

I checked /usr/bin/check-system permission and then it was good to go

In a new terminal, I used OpenSSL to make a new salted combined username and password in MD5 algorithm as shown

And clearly we are root!!!!

That’s all for now!!!

Until Next time,

Stay Blink Blink

— — — — — — — — — — — — — — —

For any query please reach me out below:

Linkedin: https://www.linkedin.com/in/user-neeleshpatel/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |