TRYHACKME: VULNVERSITY WALKTHROUGH

Let's pawn https://tryhackme.com/room/vulnversity together!

Vulnversity
Machine Information

With the machine spun up and ready, let's get into it!

RECONNAISSANCE

We are looking open ports. My favorite and go-to tool for this is NMAP. We'll scan using

nmap -Pn -sS -sV -T4 10.10.238.250

Nmap Output

There's an "Apache Server" running on port 3333. Opening 10.10.238.250:3333 in the browser takes us to a web application.

Vulnversity

We'll look for directories and input fields, more-so uploads, for reverse shells of course! I'll be using gobuster for the job.

gobuster dir -t 10 --wildcard Β -e -r --url http://10.10.238.250:3333/ -w dirs.txt -a "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"

We found an interesting directory "/internal/"

gobuster output

Opening it leads us to... wait for it ......

An upload 😌. For this one we'll go with a php reverse shell. i'll go ahead and grab it from

Β 

/usr/share/webshells/php/php-reverse-shell.php

After this we edit the IP and port and set them to our attack machine and a free port.Β 

Now we start a NetCat listener on port 6996 with

nc -lnvp 6996

A lot of uploads either filter out or expect specific filetypes so we'd have to make a bunch of copies of the reverse shell and rename each with a different extension, to test which ones work. I'm lazy, so I'll use BurpSuite instead. I'll use

http://10.10.238.250:3333/internal/

as the scope.

scope
We'll use the intruder to test the file types. Leave interceptor on and open the inbuilt browser. Paste the url and load the page. Go back and turn the interceptor off. Try to upload the reverse shell.Β 

Β 

upload rejected
Head over to the HTTP history and find the POST request.

Β 

http history
Send it to the intruder with CTRL+i. Clear the selected positions.

Β 

clear positions
Highlight the filename and add the position

Β 

highligh new position

Head over to the payload section and add some extensions to the simple list payload option. We'll be trying

  • html
  • php1
  • php2
  • php5
  • phtml
payload list

Finally disable URL-encode and start the attack! Results from the intruder always look identical, so we search for the one that's different from the rest. If it exists, it's our winner!

access gained

".phtml" seems to have worked. Lets navigate to the "/uploads/" directory to confirm

proof of compromise
Now that we have proof of compromise we can go ahead and execute the reverse shell by opening it in the browser.

Β 

INITIAL ACCESS

initial access

We're in! We do some basic prying to see who we are in the system, who are the other users and what are their privileges?

user flag

And we have our user flag! With that let's checkout some SUID binaries.Β 

PRIVILEGE ESCALATION

SUID

We have a bunch of interesting stuff to use to our advantage but first lets spawn a TTY shell to get rid of some restrictions.

python -c 'import pty; pty.spawn("/bin/bash")'

In case you were wondering, i haven't memorised all these commands yet. I useΒ Hack Tools, check them out and buy them a coffee! Remember one of the binaries we found wasΒ 

/bin/systemctl

It's especially interesting because systemctl controls service managers. This means that we can mess around withΒ /etc/system/systemd.Β I'll navigate to the /opt directory and we'll create some environment variables from there.

priv=$(mktemp).service

Next we attach a unit file to our environment variable

service

With that we just created a simple service that executes the "cat" command on the root flag and writes it in the /opt directory we're in. Since the user flag was in a file called user.txt, my bet is that the root flag is called root.txt. When the service runs successfully the flag should be saved as "root-flag" in the /opt directory.

Let's run the unit file using /bin/systemctl

/bin/systemctl link $priv

/bin/systemctl enable --now $priv

root flag

And with that you can run whatever command with root privileges as a service. RPaaSπŸ€“. Happy hacking!

You should also read: