SecGen icon indicating copy to clipboard operation
SecGen copied to clipboard

Published 20 hours ago verified publisher icon cliffe

Issue solving basebox challenge

Open Apruva opened this issue 5 years ago • 5 comments

Hello, trying to solve this box challenge, i have managed to gain local access from the IRCd backdoor vulnerability as user "irc:x:39:39:ircd:/var/run/ircd:/bin/sh". The user is restricted and can't move between directories and can only list certain files. The flag_hints.xml file says that the system is vulnerable to Nmap SUID, so i tried checking the version of Nmap (nmap -V) and listing SUID binaries (find / -perm -u=s -type f 2>/dev/null), which returned nothing about nmap - it seems like Nmap is not installed on the system. I have spent alot of time searching for hints and valuable information on the target system, but have been struck for a long time now, so i decided its time to reach out for some help. Also, is it possible that nmap did not succeed installing on the basebox? So that im looking at a dead end?

Apruva avatar Apr 25 '19 09:04 Apruva

Output of flag_hints.xml and scenario.xml: issue1 issue2 issue3

Apruva avatar Apr 25 '19 09:04 Apruva

Hi @Apruva,

You're right in your assumption that the scenario should have installed the nmap_suid vulnerability. Can you check if the binary exists, it should be in: /usr/bin/nmap.

If not then it sounds like the VM did not provision correctly. You should be able to re-build the VM by using the scenario file in the second screenshot with ruby secgen.rb -s <path to scenario.xml> r

Hope this helps.

Cheers, Tom

thomashaw avatar Apr 25 '19 10:04 thomashaw

It is not found in /usr/bin/nmap. I have SecGen currently running on Kali, and had alot of dependency issues during the installation. I might try to install it on Ubuntu 16.4 as done in the guide. I then wonder if it is possible to connect a virtual Kali to a virtual Ubuntu that has SecGen installed, and virtual SecGen machines running inside the virtual ubuntu in virtualbox. @thomashaw

Apruva avatar Apr 25 '19 11:04 Apruva

Ok, i made a new VM and reinstalled everything, and fixed all dependencies on Kali. After bundle install was succeeded i issues the "ruby secgen.rb run" command and got "VMs Created". Then i opened virtualbox and looked if the secgen vm had appeared, it had not!?. So i wonder, how do i proceed from here, why isnt the vm showing in virtualbox, when it says it has been created? Which directory do i go to? "Virtualbox VMs/SecGen20190425" or "SecGen/projects/SecGen20190425", and what commands should i issue, "vagrant up" or "ruby secgen.rb build-project"? I apologise if this is a dumb question, but i have been trying to solve errors for days now and i finally belive im on the right track, so want to make sure that this last step is done the right way. @thomashaw @cliffe

image

Apruva avatar Apr 25 '19 16:04 Apruva

Looks like the VM built. Normally the VMs will show up when you start VirtualBox -- although they are likely running headless (without GUI, until you click Show VM), and typically require a restart of the VMs to function correctly. If they aren't listed at all in the VirtualBox program you might be able to just open the VM from Virtualbox VMs/SecGen20190425. The secgen/projects directory can be used to rebuild the VMs with vagrant up. Good luck.

cliffe avatar Apr 25 '19 23:04 cliffe