Vulnversity
Learn about active recon, web app attacks and privilege escalation.
Last updated
Learn about active recon, web app attacks and privilege escalation.
Last updated
Try this exercise in TryHackMe: Vulnversity
Nmap is a free, open-source and powerful tool used to discover hosts and services on a computer network. In our example, we use Nmap to scan this machine to identify all services running on a particular port. Nmap has many capabilities; a table summarises some of its functionality below.
-sV
Attempts to determine the version of the services running
-p or -p-
Port scan for port or scan all ports
-Pn
Disable host discovery and scan for open ports
-A
Enables OS and version detection, executes in-build scripts for further enumeration
-sC
Scan with the default Nmap scripts
-v
Verbose mode
-sU
UDP port scan
-sS
TCP SYN port scan
Now let's run Gobuster with a wordlist using:
Gobuster flag
Description
-e
Print the full URLs in your console
-u
The target URL
-w
Path to your wordlist
-U and -P
Username and Password for Basic Auth
-p
Proxy to use for requests
-c
Specify a cookie for simulating your auth
Now that you have found a form to upload files, we can leverage this to upload and execute our payload, which will lead to compromising the web server. We will fuzz the upload form to identify which extensions are not blocked.
Now, make sure BurpSuite is configured to intercept all your browser traffic. Upload a file; once this request is captured, send it to the Intruder (used for automating customised attacks).
To begin, make a wordlist with the following extensions:
.php
.php3
.php4
.php5
.phtml
Upload this file (phpext.txt) to the Payloads
tab.
Select the Sniper
attack type.
Find the filename and Add §
to the extension. It should look like this:
Then click Start Attack
*Doing this attack in Intruder would ideally let us know which extensions are permitted or not. But in this case, we see no vast difference in the response received, length, and status codes.
By just brute-forcing, we identified that the .phtml
extension is allowed the upload form
We are going to use a PHP reverse shell as our payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you'll listen for incoming connections, upload and execute your shell, which will beacon out to you to control! You can download the following reverse PHP shell here.
To gain remote access to this machine, follow these steps:
Edit the php-reverse-shell.php
file and edit the ip to be your tun0 of your AttackBox
Rename this file to reverse-shell.phtml
.
We're now going to listen to incoming connections using netcat. Run the following command: nc -lvnp 1234
.
Upload your shell and navigate to http://10.10.X.X:3333/internal/uploads/reverse-shell.phtml
This will execute your payload.
You should see a connection on your Netcat session.
Check the files in the machine.
We now get the contents of user.txt
Now that you have compromised this machine, we will escalate our privileges and become the superuser (root).
In Linux, SUID (set owner userId upon execution) is a particular type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).
For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd
). This is because to change your password, you will need to write to the shadowers file that you do not have access to; root
does, so it has root privileges to make the right changes.
The /bin/systemctl
stands out and unusually big
From GTFObins, we search for systemctl sudo privilege escalation steps.
We’ll use (b) to specify the file that we want to open.
We cannot use sudo in this machine, so change to:
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
We get the flag in /tmp/output