TryHackMe — Vulnversity Writeup

TL&DR; This is a Linux box with a web server with a vulnerable file upload endpoint. After determining the correct extension to use, you can upload a reverse shell to gain an initial shell. To escalate, we can use systemctl which has the SUID bit set. We can create a malicious service and run it to gain a root shell.

Reconnaissance:

I did a full port scan with Nmap.

# Command: nmap -T4 -A -p- -Pn 10.10.53.59 -oA nmap_full
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m07s, deviation: 2h18m34s, median: 6s
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: vulnuniversity
|   NetBIOS computer name: VULNUNIVERSITY\x00
|   Domain name: \x00
|   FQDN: vulnuniversity
|_  System time: 2021-06-23T09:23:10-04:00
| smb-security-mode:                                                                                                                                                                                             
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-23T13:23:10
|_  start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 996.02 seconds

So we see a total of 6 ports open:

1. FTP — vsftpd 3.0.3 (Anonymous login is not enabled)
2. SSH — OpenSSH 7.2p2
3. 139 — netbios-ssn Samba smbd 3.X — 4.X
4. 445 — NetBIOS-ssn Samba smbd 4.3.11-Ubuntu
5. 3128 — Squid Proxy 3.5.12
6. 3333 — Apache Webserver (httpd 2.4.18)

Enumeration:

Here the most interesting services are the SMB and the Webserver.

SMB:

We can take a look at the shares on this service using smbmap.

Smbmap

There are no shares that we can access.

Webserver:

Visiting the website,

Webserver

We find nothing peculiar in the actual website and its source code, so I started a dirsearch to find any interesting endpoints.

Dirsearch

The directory that immediately stands out is /internal.

Visiting this page,

/internal

This page has a file upload functionality. But it rejected formats like js, css, html, jpeg, bmp, png, php.

I checked the source code and found this server is running php. But the upload blocks uploads of any php file. We need to find what extension the upload actually accepts.

So we can fuzz this using the interpreter. For the wordlist, I chose the following one from fuzzdb.

fuzzdb-project/fuzzdb

So we capture this request and send it to the intruder.

Upload Request

Set the extension as a payload position,

Payload Positions

Add the php-alt-extensions to the simple list

Payload values

And finally, start the attack and wait for any peculiar values.

When the scan is completed, two extensions have a different response.

Intruder results

On closer examination, we see that only these two extensions, do not have the “Extension not allowed” error in the response.

So we have found that a php backdoor with a .phtml file extension can be uploaded to gain a shell.

Exploitation (Initial Shell):

So we are going to use the php reverse shell available in kali /usr/share/webshells/php/php-reverse-shell.php.

We edit the IP and Port values,

Editing the reverse shell

and we have to cp this shell to make a .phtml version.

Making a .phtml copy

Now we can upload this.

After uploading, we open a port on our machine to receive the shell.

Attacker’s Machine

To trigger the shell, we can use the link 10.10.53.59:3333/internal/uploads/{Uploaded_file_name}.phtml.

And we get the initial shell.

Initial Shell.

We can go ahead and grab the user.txt from bill’s home directory

User Hash

Privilege Escalation:

After some shell stabilization, we can now start looking for ways to escalate.

I ran LinEnum.sh to find any possible vectors.

LinEnum scan

And I found that systemctl has SUID enabled. This can be used to escalate to root.

You can find the payload here,

systemctl | GTFOBins

So to exploit systemctl, we have to create a malicious service that actually throws us a shell. We will run this service using the SUID set systemctl and since this runs as root, we will receive a root shell on the attacker’s machine.

So first I created the malicious service as such,

Malicious service

When this service runs, we will get a shell on port 9999.

Next, we open port 9999 on our machine,

Attacker’s Machine

Now we can start the service on the box,

Starting the malicious service

And we receive the root shell on our machine.

Root shell

Now we can grab the root flag

Root flag

And that was Vulnversity guys, thanks for reading my write-up. If you have any suggestions or if you think you I missed something please do let me know in the comments. If you have any other suggestions or questions, feel free to message me.

If you want to reach me,

Twitter: @MathewSeelan

Mathew Seelan — Joint IT Head — Association of Computer Engineers | LinkedIn

Mathew Jeba Seelan