TryHackMe — Vulnversity

TryHackMe — Vulnversity

Hi everyone, hope you are doing well. This is my first write-up of the TryHackMe write-up series. This challenge includes some really interesting tasks like recon, file upload vulnerability, and writing a customized service to get the root flag. Don’t worry if this doesn’t make any sense to you right now, I will cover each and every task in detail.

Prerequisites:

  • A TryHackMe account.
  • Kali, Parrot, or any other Linux-based OS with the required tools installed. This will be our attacking machine. I will be using Kali Linux but you can use any other OS too.
  • Hands-on experience on Linux.
  • Learning & curious attitude.

Let's dive into the technicalities…..

Task — 1 { Deploy the machine }

  • Download your ovpn file, generally, it is named as your_username.ovpn
  • Open a terminal and navigate to the directory where ovpn file has been downloaded.
Connecting to VPN
  • When you are successfully connected to the VPN, you will see something like Initialization Sequence Completed
Initialization Sequence Completed
  • Now you can deploy the machine by clicking Deploy Machine button. Once you clicked, your machine will be started within two minutes.
  • Try to ping the machine.
Pinging the Machine

Task — 2 { Reconnaissance }

  • Scanning the box using nmap.
sudo nmap -sC -sV -p- --min-rate=5000 10.10.138.148

sudo To run nmap command with root privileges.

nmap Initiates the command.

-sC Runs default nmap scripts against the target machine.

-sV To do service fingerprinting.

-p- To scan all the ports.

--min-rate=5000 Sends at least 5000 packets per second. This increases the scan speed but I do not recommend it. This is because it sends heavy traffic to the server.

10.10.138.148 The IP address of my victim(Vulnversity) machine. Your IP can be different.

Full Nmap Scan

Open ports & services:

  • Port 21 running FTP server of version vsftpd 3.0.3 Found XSS & CSRF vulnerability with a very less CVE score and might not lead to remote code execution.
  • Port 22 running ssh service of version OpenSSH 7.2p2 which led me to an exploit on exploitdb. This exploit allows enumerating users on the server. We will keep this in mind and will get back to it (if required).
  • Port 139 & port 445 running netbios-ssn of version smbd 3.x — 4.x & smbd 4.3.11-Ubuntu respectively. Found Samba is_known_pipename() Arbitrary Module Load vulnerability which requires valid credentials and a writable folder. So far, we don’t have credentials therefore we cannot proceed with this approach.
  • Port 3128 running http-proxy of version squid 3.5.12 Found several vulnerabilities like buffer-overflow in squid-cache, insufficient verification of data-authenticity in squid-cache. These sounds like great vulnerabilities but we cannot start from here too.
  • Port 3333 running a webserver of version Apache httpd 2.4.18 Got some more information like http-server-header Apache/2.4.18 Ubuntu http-title Vuln University
  • Got some more information about the smb We will discuss this later if required.

Questions:

  • Scan the box, how many ports are open?
6
  • What version of the squid proxy is running on the machine?
3.5.12
  • How many ports will nmap scan if the flag -p-400 was used?
400
  • Using the nmap flag -n what will it not resolve?
DNS
  • What is the most likely operating system this machine is running?
Ubuntu
  • What port is the webserver running on?
3333

Task — 3 { Locating directories using GoBuster}

I am using dirsearch instead of GoBuster

Note: I had to restart my Vulnversity machine and got a different IP 
Earlier IP: 10.10.138.148
Current IP: 10.10.89.96

Since this is a web server running therefore I started looking for any disclosed directory. For that I ran a dirsearch against the url http://10.10.89.96:3333/

dirsearch output

Questions:

  • What is the directory that has an upload form page?
/internal/

Task — 4 { Compromise the webserver}

Start looking at these URLs one by one

http://10.10.89.96:3333/css
http://10.10.89.96:3333/fonts
http://10.10.89.96:3333/js
http://10.10.89.96:3333/internal

Here we got something interesting, a file upload page.

Note: I checked files of other urls too but did not find anything interesting.Please search those files once, maybe you get something that I missed.

Let try to upload a php-reverse-shell but before that start, burp suite to get a better idea of what is happening behind the scene.

After downloading php-reverse-shell don’t forget to change IP address and port number. This IP address will be tun0 IP and port number can be any.

tun0 IP

In my case, changes will be

Editing php-reverse-shell.php

Now we are ready to upload this reverse shell.

Before hitting the submit button turn on your proxy inception in burp suite. Click on submit > go to burp suite > send intercepted request to repeater > turn off proxy interceptor

We got an error Extension not allowed in browser.

Extension not allowed

What this means is that they are validating extension of the file being uploaded. This is blocking php extension file. We can try some other extension and see if they works.

Go to burp suite > click on repeater tab > send intercepted request to intruder

Intercepted request in intruder

Click on Clear button on right side > Select php > Click on Add button on right side

Selecting php (remember dot is not selected)

Click on payloads tab > Under Payload Options, enter some extensions

Entered different extension

We are ready to test different extension. Click on Start attack button on right side to start intruder.

phtml worked!!

In the above result, we can see only phtml extension show the Success status. This means we can upload a file with phtml extension.

Lets rename our php-reverse-shell.php file to php-reverse-shell.phtml and try uploading it.

Successfully uploaded php-reverse-shell.phtml

Now our task is to find where is the file uploaded on the server. For that we will again use dirsearch to get file location.

Found upload directory!!

Here we got an uploads directory.

php-reverse-shell.phtml file found!!

Before clicking on the file, we will start the netcat shell to listen on port 55555 This is the same port that we have edited in the php-reverse-shell.php file earlier.

nc shell listening on port 55555

Now visit the url http://10.10.89.96:3333/internal/uploads/php-reverse-shell.phtml or simply click on that file.

As we clicked on that file, we will get a reverse-shell at where the netcat was listening.

Shell
user.txt flag

Questions:

  • Try upload a few file types to the server, what common extension seems to be blocked?
.php
  • Run this attack, what extension is allowed?
.phtml
  • What is the name of the user who manages the webserver?
bill
  • What is the user flag?
8bd79[REDACTED]

Task — 5 { Privilege Escalation}

So far, we got the shell with low privileges, now we need to escalate our privileges. There are multiple techniques to do that but unfortunately not every technique can work in every scenario. To get the right one, we need to enumerate the machine.

Enumeration

To make the privesc task easier, lets follow the challenge’s instructions.

To search for all SUID files:

find / -perm -u=s -type f 2>/dev/null

find To initiate the command

/ Path to look into

-perm To search files permission wise

-u=s Defining s bit in user’s permission

-type To specify the file type

f It represents files

2>/dev/null Redirecting stderr into /dev/null

SUID files
Permission of /bin/systemctl file

/bin/systemctl looks interesting because systemctl is used to start, stop or to get the status of a service. Generally, running this binary requires root privileges but in this case just because SUID bit is set, we are authorized to run it with the root privileges.

Took a reference from gtfobins to abuse /bin/systemctl to get the root flag.

Writing service to read /root/root.txt flag

From the above:

1 Creating a temporary file in /tmp directory to write our service.

2 Listing /tmp directory files, we can see two file starting with tmp. Latest one is just created.

3 Writing our service to read the /root/root.txt flag and store it in /tmp/root_flag.txt file.

4 Linking our custom service to unit file search path

5 Starting our custom service. As it starts, it will execute the command assigned to ExecStart which says read the root flag and store it into /tmp/root_flag.txt file.

6 Listing /tmp directory files. We can see a new file root_flag.txt has been created.

7 Reading root flag.

Questions:

  • On the system, search for all SUID files. What file stands out?
/bin/systemctl
  • Become root and get the last flag (/root/root.txt)
a58ff[REDACTED]

References:

Hacking Articles

GTFO Bins

Create systemd service

About me:

Name: Aakash Kumar

Email: 0xA94 [at] protonmail [dot] com

Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store