Vulnversity - TryHackMe Room

 
1.jpg
 

The link for this lab is located here: https://tryhackme.com/room/vulnversity


In this room, we will learn about active reconnaissance, web application attacks and some basic privilege escalation to hack into a vulnerable machine.


23.jpg

Task 2 - Reconnaissance

First of all, we need to gather basic information about the target machine. For me, this starts with a very simple all ports scan - just to identify any open ports. This reveals that 6 ports are open on our target with little information about what is running on them.

portscan.png

The next step is to gather service information and get more details about each service if possible. For this, I run a scan to gather OS information, service detection and some basic Nmap scripts along with the specified ports found in the previous scan (saves time scanning all 65,535 ports with service detection).

servicescan.png

This reveals a variety of information including an FTP version (3.0.3), Samba running on port 139/445 which indicates to me a Linux machine, Squid HTTP proxy running on port 3128 which is interesting and an HTTP server running on port 3333 via Apache.

It also reveals to us that the machine is likely a Linux machine running Ubuntu - seen from various header information including HTTP.


2.jpg

Task 3 - Locating Directories using GoBuster

Navigating to the website reveals an interesting web page.

webpage.png

Clicking on any links we see does not reveal any new page which is intriguing. This tells me there is a hidden directory somewhere. To find these hidden directories, we can use GoBuster - a directory busting tool.

To use it effectively, I use the following syntax which specifies directory busting (dir) followed by the URL and the wordlist to use - I used a dirbuster wordlist which proves successful most times.

internal.png

Looking at the results, it reveals some directories including standard ones like images, css and js. The interesting one here is /internal. Navigating to that page reveals an upload page.


3.jpg

Task 4 - Compromise the Web Server

Looking back at the scan results, we saw that this server is running Apache. Doing a quick Google search reveals that PHP is the programming language commonly used with Apache. From this, we can try uploading a PHP file. If successful, we could then navigate to it and execute malicious code.

Trying to upload a simple PHP file with some random text inside reveals an error message that the extension is not allowed. Interesting…..

notallowed.png

Are there any other php extensions? Doing a quick Google search reveals there are multiple valid PHP extensions that can be used for PHP.

Knowing this, we can create a list of all the extensions and use Burp to test each one quickly and effectively. 

First, we intercept a request for an upload we make.

Once intercepted, we can send that request to Intruder and choose the payload we want to change for each request - in this case the “.php” part of the request ONLY.

Once set, we can navigate to the payload options and load the txt file created with the extensions inside as our payload and run the attack.

payloads.png

Running the attack should reveal that the “.phtml” file comes back with a different length, indicating it worked or something changed. Unfortunately, in my scenario, this was not working so I decided to do it manually.

nodiff.png

Instead, I simply went through and uploaded each file until a Success message popped up after uploading the “.phtml” file.

proff.png
success.png

Knowing that we can successfully upload a PHP file with this extension, we can use a PHP reverse shell and simply change the extension to “.phtml”. We can use this php reverse shell and simply change the IP and port in the code to your IP and a port of your choosing - I chose 8888.

phprev.png

Once changed, we can simply rename the file from .php to phtml to match the extension that is allowed to be uploaded.

phtml.png

Then, we can simply upload it to the site and receive a success message.

phprevsuc.png

To catch the reverse shell, we must be running a netcat listener on the same port as the one in the code you changed. 

netcat8888.png

Once listening, simply navigate to the /uploads/php-reverse-shell.phtml and check the netcat listener - you should have received a reverse shell.

shell.png

Next, I decided to stabilize the shell a little more using the following.

stabilize.png

Once stabilized, I check the contents of the “/home” directory to see any users on the system - a user called bill has a home directory located there.

bill.png

Inside the /home/bill directory there is a user.txt file which contains the user flag.

usertxt.png

4.jpg

Task 5 - Privilege Escalation

With this shell, the next thing to do is try to gain root privileges. There are multiple ways to do this but I decided to run LinPeas on the system to see if it could identify anything. 

First, I had to get LinPeas on the target by hosting the linpeas.sh file through a Python3 web server on my local machine

Once hosted, I used the wget command to download linpeas to the target machine inside the /tmp directory since /tmp is normally world readable and writable allowing us to create, modify and download files there.

Once on the system simply give it executable permissions using chmod.

chmod.png

And then run it. Once it has ran, looking through the results, we see a critical file having SUID permissions - systemctl

suid.png

Navigating to GTFOBins and searching for systemctl with SUID permissions reveals a way to get a possible root shell.

gtfobin.png

Simply follow the instructions on GTFOBins - this way creates a service that systemctl is going to start for us and that service will be running with elevated privileges

Systemctl is a controlling interface and inspection tool for the widely-adopted init system and service manager systemd. Systemd in turn is an init system and system manager that is widely becoming the new standard for Linux machines.

Systemd initializes user space components that run after the Linux kernel has booted, as well as continuously maintaining those components throughout a system's life cycle. These tasks are known as units, and each unit has a corresponding unit file.

We can create our own unit file and let systemd start it. Normally systemctl will look for unit files in the default folder, which is /etc/system/systemd but we do not have permission to write to that folder.

We can create a unit file and let systemctl start it via an environment variable.

First, we create a variable which holds a unique file.

  • eop=$(mktemp).service

Then, we create a unit file and write it into the variable

  • $ echo '[Service]

  • > ExecStart=/bin/sh -c "chmod +s /bin/bash"

  • > [Install]

  • > WantedBy=multi-user.target' > $eop

Inside the unit file, we entered a command which will let shell execute the command chmod and add a SUID bit to the /bin/bash file. Finally, we use the /bin/systemctl program to enable the unit file

  • /bin/systemctl link $eop

  • /bin/systemctl enable --now $eop

stickybit.png

Once all ran, checking the permissions on /bin/bash reveals it has the “s” bit for the user and group - which is root. This means we can run “bash -p” to keep the privileges of the BASH shell effectively giving us root privileges

Running bash -p returns us a root shell with effective user and group IDs of root.

root.png

Once in, navigate to /root and grab the root.txt flag.

roottxt.png

Previous
Previous

Basic Pentesting - TryHackMe Room

Next
Next

Linux Privilege Escalation