Proving grounds:Chatty

Today we will take a look at Proving grounds: Chatty. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

• Network

22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1994b952225ed0f8520d363b448bbcf (RSA)
|   256 0f448badad95b8226af036ac19d00ef3 (ECDSA)
|_  256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)
3000/tcp open  ppp?

• rocket chat (3000)

While browsing the site, we see that we can create an account here.

Find and prepare a suitable exploit.

Use the password here when creating an account so that there is no difficulty when launching the exploit.

After logging into the account, we find the email address of the admin user.

We can skip the first half of the exploit script. Near the bottom of the script we can modify the code to save us some time.

We turn on the exploit and take the shell.

When I thought it wasn’t working at first, I ping my machine and boom

Now we take the reverse shell.

As we know the ssh port was open, to get a quality shell, let’s create a key ourselves and transfer it here and connect with ssh.

• Privesc (maidag)

Check Maidag’s version and look for a suitable exploit

We found the exploit. Let’s download and copy it to the target machine and run it.

local-exploits/exploit.ldpreload.sh at master · bcoles/local-exploits

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”