# Proving grounds Play: Infosecprep

Proving grounds Play - Infosecprep CTF writeup.

### Nmap

```sh
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 91ba0dd43905e31355578f1b4690dbe4 (RSA)
|   256 0f35d1a131f2f6aa75e81701e71ed1d5 (ECDSA)
|_  256 aff153ea7b4dd7fad8de0df228fc86d7 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/secret.txt
|_http-title: OSCP Voucher &#8211; Just another WordPress site
|_http-generator: WordPress 5.4.2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
```

### Web

![img](/files/lpEwjfJaiT2XdAchJFhB)

Nmap scan shows there is disallowed entry present in the robots.txt file `/secret.txt`.

#### Base64 encoded text

![img](/files/Q5KCm7G0vcY4AgshEPqz)

#### Decoded text

![img](/files/pS18CJQwsw4sduuckyD3)

Save the decoded SSH key as `id_rsa` and apply neccessary permission as `chmod 600`.

### Enumerate SSH Login user

As mentioned in the blog post by the author there is only one user in the system that is `oscp`.

SSH to `oscp` user using the SSH key.

![img](/files/oDTOL7pqJcbBAZd27Boi)

### Privilege Escalation

Check the permissions for the `/bin/bash` binary, which has the setuid bit configured that is `s` instead of `x` in permissions list.

```sh
-bash-5.0$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Feb 25  2020 /bin/bash
```

**What does setuid bit do?**

The setuid bit simply indicates that when running the executable, it will set its permissions to that of the owner, instead of setting it to the user who launched it.

In that case the owner is the root user so we can simply run `/bin/bash -p` to obtain root access.

![img](/files/AaPej2pAdtGnyNQ2YegC)

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-09-02-proving_grounds_play-infosec.prep.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.