Today we will take a look at Proving grounds: Matrimony. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| 3072 c1994b952225ed0f8520d363b448bbcf (RSA)
| 256 0f448badad95b8226af036ac19d00ef3 (ECDSA)
|_ 256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
|_ bind.version: 9.16.1-Ubuntu
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Vanilla Bootstrap v4.2.1 Theme
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- DNS (53)
If the PTR record is set, let’s try a reverse lookup to get the target’s domain name.
We can retrieve the domain name matrimony.off associated with the IP address of the submitted target. Let’s try to perform Zone Transfer.
Add the domain name to the hosts file.
If we look for the information we got from the copyright section, we find exploitation.
Offensive Security's Exploit Database Archive
Online Matrimonial Project 1.0 - Authenticated Remote Code Execution.. webapps exploit for PHP platform
To use the exploit, you need to open an account, we can register here.
Run the exploit.
Copy our ssh key here so we can log in easily.
Let’s check the network configurations
There is a Docker interface. Check the network connections using netstat command.
Here we see that there is an available network connection to the Docker container. In the last line, we can see that the host (172.17.0.1) is connected to the docker instance (172.17.0.2). This indicates that we can use SSH in the container.
When we try to log in as root, we successfully log into the container.
One of the first things to check when we have root privileges on a container is if we have access to docker.sock.
İmport the Docker binary from the target host to the container.
We find that we have 2 different image IDs, we can choose the one we want. We create a container and mount the target host’s /root directory to our new container.
We can check the /mnt folder to see if we have successfully mounted the /root directory into this new container.