TryHackMe — Vulnversity Writeup
TL&DR; This is a Linux box with a web server with a vulnerable file upload endpoint. After determining the correct extension to use, you can upload a reverse shell to gain an initial shell. To escalate, we can use systemctl which has the SUID bit set. We can create a malicious service and run it to gain a root shell.
Reconnaissance:
I did a full port scan with Nmap.
# Command: nmap -T4 -A -p- -Pn 10.10.53.59 -oA nmap_full
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1h20m07s, deviation: 2h18m34s, median: 6s
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: vulnuniversity
| NetBIOS computer name: VULNUNIVERSITY\x00
| Domain name: \x00
| FQDN: vulnuniversity
|_ System time: 2021-06-23T09:23:10-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-23T13:23:10
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 996.02 seconds
So we see a total of 6 ports open:
- FTP — vsftpd 3.0.3 (Anonymous login is not enabled)
- SSH — OpenSSH 7.2p2
- 139 — netbios-ssn Samba smbd 3.X — 4.X
- 445 — NetBIOS-ssn Samba smbd 4.3.11-Ubuntu
- 3128 — Squid Proxy 3.5.12
- 3333 — Apache Webserver (httpd 2.4.18)
Enumeration:
Here the most interesting services are the SMB and the Webserver.
SMB:
We can take a look at the shares on this service using smbmap.
There are no shares that we can access.
Webserver:
Visiting the website,
We find nothing peculiar in the actual website and its source code, so I started a dirsearch to find any interesting endpoints.
The directory that immediately stands out is /internal.
Visiting this page,
This page has a file upload functionality. But it rejected formats like js, css, html, jpeg, bmp, png, php.
I checked the source code and found this server is running php. But the upload blocks uploads of any php file. We need to find what extension the upload actually accepts.
So we can fuzz this using the interpreter. For the wordlist, I chose the following one from fuzzdb.
So we capture this request and send it to the intruder.
Set the extension as a payload position,
Add the php-alt-extensions to the simple list
And finally, start the attack and wait for any peculiar values.
When the scan is completed, two extensions have a different response.
On closer examination, we see that only these two extensions, do not have the “Extension not allowed” error in the response.
So we have found that a php backdoor with a .phtml file extension can be uploaded to gain a shell.
Exploitation (Initial Shell):
So we are going to use the php reverse shell available in kali /usr/share/webshells/php/php-reverse-shell.php.
We edit the IP and Port values,
and we have to cp this shell to make a .phtml version.
Now we can upload this.
After uploading, we open a port on our machine to receive the shell.
To trigger the shell, we can use the link 10.10.53.59:3333/internal/uploads/{Uploaded_file_name}.phtml.
And we get the initial shell.
We can go ahead and grab the user.txt from bill’s home directory
Privilege Escalation:
After some shell stabilization, we can now start looking for ways to escalate.
I ran LinEnum.sh to find any possible vectors.
And I found that systemctl has SUID enabled. This can be used to escalate to root.
You can find the payload here,
So to exploit systemctl, we have to create a malicious service that actually throws us a shell. We will run this service using the SUID set systemctl and since this runs as root, we will receive a root shell on the attacker’s machine.
So first I created the malicious service as such,
When this service runs, we will get a shell on port 9999.
Next, we open port 9999 on our machine,
Now we can start the service on the box,
And we receive the root shell on our machine.
Now we can grab the root flag
And that was Vulnversity guys, thanks for reading my write-up. If you have any suggestions or if you think you I missed something please do let me know in the comments. If you have any other suggestions or questions, feel free to message me.
If you want to reach me,
Twitter: @MathewSeelan