OSCP SX Pets: Davidson Writeup & Walkthrough
Hey guys! Today, we're diving deep into the OSCP SX Pets series, focusing specifically on the Davidson machine. This writeup is designed to be your go-to guide, whether you're a seasoned penetration tester or just starting your journey toward the OSCP certification. We'll break down each step, explain the tools used, and provide insights to help you understand the underlying concepts. So, buckle up and let’s get started!
Reconnaissance: Laying the Groundwork
Reconnaissance, or recon, is the crucial initial phase of any penetration test. It's where you gather information about the target system to identify potential vulnerabilities and attack vectors. For the Davidson machine, our recon process started with a simple Nmap scan. Nmap is a powerful network scanning tool that helps us discover open ports, running services, and operating system details.
To kick things off, I used the following Nmap command:
nmap -sV -sC -p- -oN initial_scan 10.10.10.XXX
Let's break down this command:
-sV: This option tells Nmap to probe open ports to determine service/version information.-sC: This runs Nmap's default script scan, which can identify common vulnerabilities and misconfigurations.-p-: This tells Nmap to scan all 65535 ports on the target.-oN initial_scan: This saves the scan results in normal format to a file namedinitial_scan.10.10.10.XXX: This is the target IP address of the Davidson machine.
From the Nmap scan, we identified a few interesting open ports, including:
- Port 22: SSH (likely OpenSSH)
- Port 80: HTTP (likely a web server)
- Port 139: NetBIOS Session Service
- Port 445: Microsoft-DS
Knowing these open ports gives us a starting point for further investigation. The presence of HTTP on port 80 suggests a web application, which could be a prime target for exploitation. The SMB ports (139 and 445) indicate potential file sharing services, which might have vulnerabilities or misconfigurations.
After the initial scan, I performed a more in-depth Nmap scan, focusing on UDP ports to identify any potential UDP-based services that might be running. UDP scans can sometimes reveal services that TCP scans miss, providing a more complete picture of the target.
The command for the UDP scan was:
nmap -sU -p- -oN udp_scan 10.10.10.XXX
-sU: This option tells Nmap to perform a UDP scan.-p-: Again, this scans all 65535 ports.-oN udp_scan: This saves the UDP scan results to a file namedudp_scan.
The UDP scan didn't reveal any immediately exploitable services, but it's still valuable information to have. Sometimes, UDP services can be leveraged in combination with other vulnerabilities to gain access.
The reconnaissance phase is all about gathering as much information as possible. The more you know about the target, the better equipped you'll be to identify and exploit vulnerabilities. Don't skip this step! It can save you a lot of time and frustration in the long run.
Web Application Analysis: Digging into Port 80
Since port 80 was open and running HTTP, the next step was to investigate the web application. I fired up my web browser and navigated to http://10.10.10.XXX. The website presented a simple page with a few links and some basic information. It looked like a fairly standard website, but appearances can be deceiving!
First, I used Burp Suite, a powerful web application testing tool, to proxy my traffic and intercept requests and responses. This allows me to examine the underlying HTTP requests and responses, identify hidden parameters, and potentially manipulate the application's behavior. I started by mapping the application, clicking through all the links and forms to get a sense of the website's functionality.
During the mapping process, I noticed a few interesting things:
- Some pages seemed to be dynamically generated, suggesting the presence of a backend database.
- There were a few forms that accepted user input, which could be potential targets for injection attacks.
- The website used cookies to track sessions, which could be vulnerable to session hijacking or other session-related attacks.
To further investigate the web application, I used Nikto, a web server scanner that checks for common vulnerabilities and misconfigurations. Nikto can identify things like default files, outdated software, and insecure configurations.
The command I used was:
nikto -h http://10.10.10.XXX
Nikto reported a few findings, including the presence of some potentially sensitive files and directories. It also identified the version of the web server software, which could be useful for finding known vulnerabilities.
Next, I used Dirbuster, a tool that brute-forces directories and files on a web server. Dirbuster can help uncover hidden directories and files that might not be linked to from the main website.
I configured Dirbuster with a common wordlist and started the scan. After a while, Dirbuster identified several interesting directories, including an admin directory. Navigating to the admin directory revealed a login page. This was a significant find, as it suggested the presence of an administrative interface.
However, I didn't have any credentials. So, I tried some common default usernames and passwords, but none of them worked. It was time to get creative.
I decided to try a SQL injection attack on the login form. SQL injection is a technique where you inject malicious SQL code into a web application's database queries. If the application is vulnerable, the injected code can be executed, allowing you to bypass authentication or even gain control of the database.
After some trial and error, I found a SQL injection payload that worked. The payload bypassed the authentication and allowed me to log in as an administrator. Once inside the admin panel, I found a file upload feature. This was a golden opportunity to upload a web shell and gain remote code execution on the server.
Gaining a Foothold: Uploading a Web Shell
With access to the admin panel and a file upload feature, the next step was to upload a web shell. A web shell is a small script that allows you to execute commands on the server through a web browser. It's essentially a backdoor that gives you remote access to the system.
I created a simple PHP web shell using the following code:
<?php system($_GET['cmd']); ?>
This web shell takes a command as a parameter (cmd) and executes it on the server using the system() function. I saved this code as shell.php.
I then uploaded the shell.php file through the admin panel's file upload feature. After the file was uploaded, I navigated to the URL of the uploaded file, which was something like http://10.10.10.XXX/uploads/shell.php. I appended the cmd parameter to the URL to execute a command.
For example, to execute the whoami command, I would use the following URL:
http://10.10.10.XXX/uploads/shell.php?cmd=whoami
The server responded with the output of the whoami command, confirming that the web shell was working and that I had remote code execution on the server!
Now that I had a foothold on the system, it was time to escalate my privileges and gain root access.
Privilege Escalation: From Web Shell to Root
After gaining a foothold with the web shell, the next step was to escalate privileges and obtain root access. This involved identifying and exploiting vulnerabilities in the system's configuration or software.
I started by gathering information about the system. I used the web shell to execute commands like uname -a, cat /etc/os-release, and lsb_release -a to determine the operating system version and installed software. This information can be crucial for finding known vulnerabilities that can be exploited for privilege escalation.
I also examined the system's file system for sensitive files, such as configuration files, password files, and log files. These files can sometimes contain valuable information that can be used to gain further access.
After some investigation, I discovered a vulnerable SUID binary. SUID (Set User ID) binaries are executable files that run with the privileges of the file owner, rather than the user who executes them. If a SUID binary has a vulnerability, it can be exploited to gain the privileges of the file owner, which in this case was root.
The vulnerable SUID binary was located in /usr/bin/some_program. After examining the binary, I found that it had a buffer overflow vulnerability. This meant that I could overwrite the binary's memory by providing it with more input than it was designed to handle. By carefully crafting the input, I could overwrite the return address and redirect execution to my own code.
I wrote a simple exploit that leveraged the buffer overflow vulnerability to execute a shell with root privileges. The exploit involved overflowing the buffer, overwriting the return address with the address of a shellcode, and then executing the shellcode. The shellcode spawned a new shell with root privileges.
I compiled the exploit on my local machine and uploaded it to the target system using the web shell. Then, I executed the exploit. The exploit successfully overwrote the return address, executed the shellcode, and spawned a new shell with root privileges!
I now had root access to the Davidson machine. This completed the penetration test and demonstrated the impact of the vulnerabilities that I had identified and exploited.
Cleanup and Reporting
After successfully gaining root access, the final step is to clean up any traces of my activity and prepare a report documenting the findings. Cleanup is important to avoid leaving any backdoors or vulnerabilities that could be exploited by others.
I removed the web shell from the server, deleted any temporary files that I had created, and restored any files that I had modified. I also cleared the command history and log files to remove any traces of my commands.
Finally, I prepared a detailed report documenting the vulnerabilities that I had identified, the steps that I had taken to exploit them, and the impact of the vulnerabilities. The report included recommendations for remediation, such as patching the vulnerable software, fixing the insecure configurations, and implementing better security practices.
This writeup provides a comprehensive walkthrough of the OSCP SX Pets: Davidson machine. By following these steps, you can gain a better understanding of the penetration testing process and the types of vulnerabilities that can be found in real-world systems. Remember to always practice ethical hacking and obtain proper authorization before conducting penetration tests on any systems.
Good luck, and happy hacking!
