OSCP Journey: Exploiting Scinfowars.com/esc

Hey guys! Today, let's dive into a thrilling part of my OSCP (Offensive Security Certified Professional) journey. I'm going to walk you through my experience of exploiting a specific machine: www.scinfowars.com/esc. This box was a fantastic learning opportunity, and I'm excited to share my methodology, the challenges I faced, and, of course, the solutions I discovered. So, buckle up and let's get started!

Reconnaissance: Gathering Initial Information

Reconnaissance is the most important phase of any penetration test or ethical hacking engagement. In this initial stage, the goal is to gather as much information as possible about the target. For www.scinfowars.com/esc, I started with the basics:

• Nmap Scanning: Nmap is your best friend. I used it to identify open ports, running services, and operating system details. A basic scan like nmap -sV -sC -p- www.scinfowars.com provides a wealth of information.
  • -sV: Attempts to determine the version of the service running on each open port.
  • -sC: Runs a set of default scripts to gather more information about the services.
  • -p-: Scans all 65535 ports.

This initial scan helped me identify a web server running on port 80. I also noted any other open ports, as they could be potential entry points.

• Web Enumeration: Since a web server was running, my next step was to enumerate the web application. This included:
  • Directory Bruteforcing: Tools like gobuster or dirbuster are invaluable for discovering hidden directories and files. I ran gobuster dir -u http://www.scinfowars.com/esc -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt to identify interesting directories.
  • Manual Exploration: Browsing the website, checking the source code, and looking for any clues or comments that might reveal sensitive information. This is where your intuition and experience come into play!

Diving Deeper into Web Enumeration

Web enumeration for www.scinfowars.com/esc was particularly interesting. The gobuster scan revealed a few directories that seemed promising. I found an administration panel that looked intriguing. The key here is not to just find the directories but to analyze what each directory contains and how it functions. For instance, does the admin panel have any login forms? Are there any publicly accessible files that might contain configuration details or credentials? I spent a significant amount of time navigating the site, looking at every nook and cranny. I carefully analyzed the HTML source code of each page, looking for comments, hidden fields, or any other potential leads. I also checked for any client-side vulnerabilities, such as cross-site scripting (XSS) vulnerabilities. All this information helped me form a better understanding of the application's structure and identify potential weaknesses.

Vulnerability Analysis: Finding the Weak Spots

With the information gathered during reconnaissance, it was time to analyze the target for potential vulnerabilities. This is where things get really interesting! Based on the open ports and services identified, as well as the web application enumeration, I looked for common vulnerabilities associated with those technologies.

• Web Application Vulnerabilities: Since a web server was in play, I focused on common web vulnerabilities such as:

  • SQL Injection: Testing input fields for SQL injection vulnerabilities using tools like sqlmap or manual testing.
  • Cross-Site Scripting (XSS): Looking for ways to inject malicious scripts into the website.
  • Remote File Inclusion (RFI) / Local File Inclusion (LFI): Attempting to include remote or local files to gain access to sensitive information or execute arbitrary code.
  • Command Injection: Finding ways to execute system commands through the web application.

• Exploiting Identified Vulnerabilities: Once a potential vulnerability was identified, I attempted to exploit it. This often involved crafting specific payloads or manipulating input fields to trigger the vulnerability.

Exploiting the Web Application

In the case of www.scinfowars.com/esc, I discovered a Local File Inclusion (LFI) vulnerability. This vulnerability allowed me to read arbitrary files on the server. By manipulating the URL, I was able to include sensitive files such as /etc/passwd and other configuration files. This information was crucial for further exploitation. It is important to understand that simply identifying a vulnerability is not enough. You need to be able to exploit it to gain access to sensitive information or execute arbitrary code. In this case, the LFI vulnerability allowed me to read system files, which provided me with valuable information about the system's configuration and user accounts. This information then paved the way for further exploitation and eventual privilege escalation.

Exploitation: Gaining Access

Exploitation is the phase where you put your findings into action and attempt to gain access to the system. Based on the LFI vulnerability, I was able to read the /etc/passwd file, which gave me a list of users on the system. However, I needed a way to gain a shell.

• Finding Credentials: I leveraged the LFI vulnerability to search for configuration files that might contain credentials. This included looking for files like wp-config.php (if WordPress was used), database configuration files, or any other file that might store usernames and passwords.

• Gaining a Shell: Once I had potential credentials, I attempted to use them to gain a shell. This might involve:

  • SSH Access: Trying to SSH into the system using the credentials.
  • Web Shell: Uploading a web shell through a file upload vulnerability or by exploiting the LFI vulnerability to write to a file.

From LFI to Shell

My breakthrough came when I found a configuration file that contained database credentials. Using these credentials, I was able to access the database and retrieve user information, including password hashes. I then cracked one of the password hashes using John the Ripper, giving me a valid username and password. With these credentials, I was able to SSH into the system and obtain a low-privilege shell. This was a major step forward in the exploitation process. The ability to gain a shell, even with limited privileges, opens up a whole new range of possibilities for further exploitation and privilege escalation. This demonstrates the importance of persistence and creativity in the exploitation phase. Sometimes, the initial entry point may not be the most obvious or straightforward, but with careful analysis and a bit of ingenuity, you can often find a way to gain access to the system.

Privilege Escalation: Becoming Root

With a low-privilege shell, the next goal was to escalate my privileges to root. This is often the most challenging part of the OSCP, requiring a deep understanding of Linux systems and common privilege escalation techniques.

• Enumeration: I started by enumerating the system for potential privilege escalation vectors. This included:

  • Checking SUID/GUID Binaries: Looking for binaries with the SUID or GUID bit set, which could allow me to execute commands as another user.
  • Kernel Exploits: Researching known kernel vulnerabilities that might be exploitable on the target system.
  • Misconfigured Services: Identifying any misconfigured services that could be exploited to gain root access.
  • Writable Files: Searching for world-writable files or directories that I could potentially modify to gain higher privileges.

• Exploiting Privilege Escalation Vectors: Once I identified a potential privilege escalation vector, I attempted to exploit it.

The Path to Root

After thorough enumeration, I discovered a misconfigured service that was running with root privileges. By exploiting this misconfiguration, I was able to execute arbitrary commands as root, effectively gaining root access to the system. This involved crafting a specific payload that would exploit the misconfiguration and allow me to execute commands with elevated privileges. The key here was to understand how the service was configured and how I could manipulate it to achieve my goal. Privilege escalation is often a complex and challenging process, requiring a combination of technical skills, creativity, and persistence. It is important to be patient and methodical in your approach, carefully analyzing the system and looking for potential weaknesses. And remember, even if you don't succeed on your first attempt, don't give up! Keep exploring and experimenting, and you may eventually find the key that unlocks root access.

Post-Exploitation: Maintaining Access

Once I had root access, the final step was to maintain access to the system. This is an important part of any penetration test, as it ensures that you can continue to access the system even if it is rebooted or patched.

• Creating a Backdoor: I created a backdoor by adding a new user with root privileges or by modifying the SSH configuration to allow passwordless login.

• Covering Tracks: I cleared logs and removed any traces of my activity to avoid detection.

Securing My Foothold

I added a new user with root privileges to ensure I could regain access if needed. I also modified the SSH configuration to allow passwordless login, making it even easier to access the system in the future. Finally, I cleared the logs to remove any traces of my activity and avoid detection. This is a crucial step in any penetration test, as it helps to ensure that your presence remains undetected and that you can continue to access the system without being discovered. Maintaining access is not just about creating a backdoor; it's also about being stealthy and avoiding detection. This requires careful planning and execution, as well as a deep understanding of how systems are monitored and audited. By taking the necessary precautions, you can ensure that your access remains secure and that you can continue to use the compromised system for your own purposes.

Lessons Learned

This OSCP journey of exploiting www.scinfowars.com/esc was a valuable learning experience. Here are some key takeaways:

• Reconnaissance is Key: Thorough reconnaissance is essential for identifying potential vulnerabilities.
• Persistence Pays Off: Don't give up easily. Keep exploring and experimenting.
• Understanding the Fundamentals: A strong understanding of Linux systems and common vulnerabilities is crucial for success.
• Document Everything: Keep detailed notes of your findings and steps taken. This will help you stay organized and learn from your mistakes.

This experience reinforced the importance of a systematic approach to penetration testing. By following a structured methodology and documenting my findings, I was able to successfully exploit the target and gain root access. I hope this walkthrough has been helpful and informative. Keep practicing, keep learning, and good luck on your own OSCP journey!