The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub

The challenge

The challenge or goal of the machine lists the following:

Rules of engagement are simple – find a way in, escalate your privileges all the way up to the root and get the flag! As with all VMs like this, think outside the box, don’t jump to conclusions too early and “read between the lines” 🙂

https://www.vulnhub.com/entry/pegasus-1,109/

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command sudo nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP 192.168.0.137.

So to start of the machine we scan the machine for open ports with nmap. We will do two scans; sudo nmap -sV -sC 192.168.0.137 -oA nmap and sudo nmap -sV -sC -p- 192.168.0.137 -oA fullnmap. We use these parameters for;
-sV service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.

The nmap results are;

So we got OpenSSH on port 22, rpcbind again on 111, an http nginx webserver on port 8088 and an RPC on port 41549. This seems interesting.

To start of, lets check if the SSH has an banner by sshing into the server with ssh 192.168.0.137. But it does not:

Lets start a web vulnerability scan with nikto and a directory bruteforcer dirb for the web-server. nikto -host http://192.168.0.137:8088 -output nikto.txt and dirb http://192.168.0.137:8088 -o dirb.txt. While the scan is running, we can have a manual look to the website:

Only an image of a pegasus, the source code doesn’t include anything of our interest either:

<html>
	<!-- Under construction... -->
	<head>
		<title>Pegasus Technologies - Under Construction</title>
	</head>
	<body>
		<img src="pegasus_by_exomemory-d5ofhgw.jpg" />
	</body>
</html>

If we go to any directory or page we get the same page as the homepage. But it does not redirect us. We just get a 200 OK.

That is probably why nikto give us the following results:

The normal dirb scan didn’t found anything, so we run dirb http://192.168.0.137:8088 /usr/share/dirb/wordlists/big.txt -o dirb.txt with a way bigger wordlist. See if it find anything but probably wont… and it found nothing. So time to get to another port, lets check what this rpcbind is about. A service I wanted to study for a bit already, but never got into it.

So there is this rpc status tcp port on 41549, but I have no idea what to do with it. There is also an rpc status udp port on 35214. Lets run an UDP all port scan with nmap. sudo nmap -sU -p- -sC -sV 192.168.0.137 and see if it will find anything.

Its still running, so I tried some other lists with dirb and found the following:

Nothing to special, we should try some more lists tho 🙂 So I tried most seclist lists and couldn’t find anything. Even did the big.txt list with some extensions. Time to look up a hint. There is a /codereview.php php code.

Exploitation

I could not exploit this for now. I tried some .php reverse shells. Read a writeup and needed C# or C++. I will come back to this machine later!

Privilege escalation

Flag

Leave a Reply

Your email address will not be published. Required fields are marked *