I am in the midst of my pursuit for the Offensive Security Certified Professional (OSCP) certification in May. Part of my preparation is to take on machines available on VulnHub. VulnHub provides materials that allow anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration. I am following this list that states machines similar to the current version of the OSCP course.

I will be taking on DigitalWorld Joy today!

Firstly, I will perform an Arp scan to identify other active hosts on my local network. This is done to identify the machine’s IP address that I will be attempting to take over.

After identifying the IP address of the machine (192.168.239.132)I will perform my usual Nmap scan.

I then added the IP address to my /etc/hosts file for easy access to the webserver and was greeted with this page:

Researching more on the OSSEC Web UI Version 0.8 led me to a Cross-Site Scripting (XSS) vulnerability. However, I did not get far with it.

From the NMap results, I was able to verify that multiple services such as FTP, SSH, SMTP, HTTP, Pop3, etc., were running. One interesting result that stood out to me was that FTP allowed anonymous logins. Therefore, I logged in to check out what was stored there and was greeted with two folders:

  1. download
  2. upload

The download folder was empty. However, the upload folder had multiple files:

Most of these files were empty and contained irrelevant text. The only file that stood out was directory. It contained the contents of the files in the user Patrick's directory.

From the NMap scan, I realised that ProFTPD was being used. Researching more on the service, I found that some cool commands could be executed and may be able to help me in my quest of gaining user privileges.

To test my theory out, I tried this technique with one of the more interesting files, version_control.

And it worked! I moved the version_control file to the FTP directory and was now able to download it to view the contents:

From this, I managed to get a good idea of how I should proceed. After some research, I found that ProFTPd 1.3.5 is vulnerable. I quickly found a Proof of Concept (POC) and put it to use. To go with it, I also opened a Netcat listener. Upon successful exploitation, I managed to get a shell.

I decided to upgrade the shell with the following commands:

  1. python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
  2. export TERM=xterm-256color

In the same directory I got a shell in, I spotted a file: patricksecretsofjoy. It contained the password to the user patrick.

Now that I gained access to Patrick, it was time to privilege escalate! I started off with the simple sudo -l command and these were the results:

I could execute a script.. Interesting. The script was a simple program where it can modify the permissions of a file in the same directory based on user input:

I figured that I could replace the contents of the script and execute it. Therefore, I decided to create a file with the contents of /bin/bash and replace it with the same method I used before (Telnet):

Then, I executed the file and managed to obtain root access!

Another great box, I certainly learnt a lot.