Tre — Offensive Security Machine Complete Write-up

Neelesh Patel
3 min readOct 11, 2021

--

OSCP Type intermediate machine

This is one of the official machine from Offensive Security Proving Grounds

So starting of by exporting IP as environment variable and starting out with scanning services and open ports and found

Target IP: 192.168.100.133

Okay, so we got SSH and two HTTP services running and After hoping over to port 80 and found nothing uncommon.

So the wfuzz useful results are shown:

wfuzz -c -z file,/opt/Seclists/big.txt — hc 404 $URL

Using admin:admin as a default creds was able to hop over to $URL/mantisbt

After bruteforcing $URL/mantisbt directory with wfuzz, we got

After reaching to $URL/config/a.txt. BOOM!! we got database creds, using this creds in http://192.168.100.133/adminer.php and yes! it was a successful login

Using SQL command select * from mantis_user_table; and WOW! we got credentials

So I tried with tre creds for ssh and was a correct login!!

Now all I need is to escalate my privileges to gain root access, After recon in the target machine

I checked /usr/bin/check-system permission and then it was good to go

In a new terminal, I used OpenSSL to make a new salted combined username and password in MD5 algorithm as shown

And clearly we are root!!!!

That’s all for now!!!

Until Next time,

Stay Blink Blink

— — — — — — — — — — — — — — —

For any query please reach me out below:

Linkedin: https://www.linkedin.com/in/user-neeleshpatel/

--

--

Neelesh Patel
Neelesh Patel

Written by Neelesh Patel

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.