thm-vulnversity-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s vulnversity at https://tryhackme.com/room/vulnversity

Vulnversity

Enumeration

In the room there is a lot of useful information about nmap, so I’m going to run my scan and skip the explaining part.

A lot of open ports.

  • 21 | FTP (vsftpd 3.0.3)
  • 22 | SSH (OpenSSH 7.2p2 ~ Ubuntu version)
  • 139 | Samba (smbd 3.x – 4.x)
  • 445 | Samba (smbd 4.3.11)
  • 3128 | HTTP Proxy (Squid proxy 3.5.12)
  • 3333 | HTTP webserver (Apache 2.4.18)

First 2 services need credentials and the vsftpd version is not the one with the backdoor (too bad LoL). So let’s start with some low hanging fruit.

Webserver

The room gives information about the use of GoBuster. This is an excellent tool to enumerate a webserver, but personally I prefer DirSearch.

When scanning don’t forget to specify the port number, because most tools will try and scan the default port.

Several folders are found, /internal/ is the one we’re after.

The page shows a upload folder which I tested with an jpg file from the internet. No go. Did the same with other popular files like gif, png and of course php. All were rejected. There is a compilation of very useful wordlists called SecLists. Nowadays it’s part of the default lists of Kali, but if your Kali or a different OS doesn’t have it, it can be found here. To fuzz the webpage I’m going to use BurpSuite. It got a nice feature called intruder which can do the job for me in an automated fashion.

First I upload a file (doesn’t really matter which file) and capture the request with your BurpSuite proxy. After you captured it, send it to the intruder and clear all positions. After that only mark the extension and don’t forget to include the dot (.). Or else you will have two dots in the input.

Load the wordlist and don’t forget to disable the encode options. If you forget this, you will not have the proper result as your filename will be “file%2ephp”, which won’t work. After this you can start the attack.

Every entry results in a HTTP code 200, which makes sense as your get a valid response from the server, just not the one you look for. So how can you tell which one is different? By the length of the response. It will be different from the others as it won’t have the error message.

Now we know which extension will pass. Time to upload a file which contains a payload for a reverse shell. A good one to use is from pentestmonkey. The only thing to change after you download it, is the IP address and the port which it needs to connect to.

You can find your current IP address by typing the command ip a

Escalation of Privilege

After we upload the file, we start a listener.

Find the uploaded file.

And click on the file.

And we’re in. Our next move is to see if we have access to the user his home folder.

Yes we have.

The file user.txt is world readable, so that one is done. Now for the escalation of privilege. For a lot of CTF based challenges a good find are files with the SUID bit set.

An explanation of this command I gave a writeup earlier ago, but in short I searched for all files with the SUID bit set (perm 4000) and looked who the owner is. Because of the SUID bit, I can execute the program with the rights of the owner. The file that stands out is a file which is created recently (also a good indication).

/bin/systemctl

Systemctl is a controlling interface and inspection tool for the widely-adopted init system and service manager systemd. Systemd in turn is an init system and system manager that is widely becoming the new standard for Linux machines. So what can we do with systemctl?

Systemd initializes user space components that run after the Linux kernel has booted, as well as continuously maintaining those components throughout a system’s lifecycle. These tasks are known as units, and each unit has a corresponding unit file. We can create our own unit file and let systemd start it. Normally systemctl will look for unit files in the default folder, which is /etc/system/systemd. But we don’t have the permission to write to that folder. So how can we create an unit file and let systemctl start it? We use an enviroment variable.

First we create a variable which holds a unique file.

Then we create an unit file and write it into the variable.

Inside the unit file we entered a command which will let shell execute the command cat and redirect the output of cat to a file called output in the folder tmp. And finally we use the /bin/systemctl program to enable the unit file.

Let’s see if it worked….

There is a file called output.

And there you have it. The output of root.txt

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *