Vulnversity

https://tryhackme.com/room/vulnversity

Ehi, what's up! Welcome to another writeup! Today we are going through this interesting room using crucial tools for web hacking such as BurpSuite and dirbuster .

Reconnaissance

As always we do a port scan with nmap:

> nmap -sS -T5 -A -p- 10.10.120.176

We discover that a web server is running on port 3333:

Web page running on port 3333

Looking around the page I can't see something interesting. Let's perform a directory scan using dirbuster.

Open the terminal and write the following to open the GUI of dirbuster:

> dirbuster &
GUI of dirbuster with suggested options

Once the scan is completed we found different directories. The most interesting one is /internal because of the upload function.

So we have to create a malicious file which would be executed server-side. Let's try to upload a php file:

As you can see we can't upload files with this extension. We should try to use other extensions, such as .php3. Let's create a list of extensions and automate this process using the sniper attack provided by BurpSuite.

Now we run BurpSuite and intercept the upload request and do the sniper attack (you can follow the tips from THM).

By looking at the response we can see that .phtml is allowed. Now let's create our payload. You can download it here. Go to "raw" and copy the source code, then paste it to a new file called payload.phtml.

Remember to change the ip with your machine ip and port.

Let's open a netcat listener on the port we put before.

Upload payload.phtml and then open it on the webserver. On our listener we should get:

After connecting to <TARGET-IP>:3333/internal/uploads/payload.phtml

We can simply get the user flag.

Privilege Escalation

Now we should find a way to escalate our privileges. Let's run this command in order to get a list of SUID binaries (as we did with Kenobi).

By comparing this result with the one from our computer, we found out that /bin/systemctl might be interesting.

But what does systemctl does? Looking around on Google we discover it's a tool used to run and manage the OS services and for sure we can evaluate our privileges to root. Isn't it cool?

We 'd create a malicious service to get a reverse shell to our machine as root; in order to move the malicious file to the target machine, we should find writable directories:

On the target machine

Now we create the malicious service (I got it from here) on our machine: using gedit we create a new file called root.service with that in:

After that we have to move root.service to our /var/tmp on the target box. We achieve that by using wget after opening the http server on our machine. I will not cover this part, just google it :).

When we have root.service in our /var/tmp we need to start it. Before that make sure you opened a listener on our machine, so we can get the shell:

Enable and start the service

Now we go to our listener and we should see the shell. Well done!

We are logged as root thanks to SUID

Our work is finished! We can easily get the root flag located in the root directory.

Resources

https://gist.github.com/A1vinSmith/78786df7899a840ec43c5ddecb6a4740

PreviousKenobiNextSkynet

Last updated

Was this helpful?