###### tags: `TryHackMe OffensiveSecurity GettingStarted`
# Vulnversity
:::success
In this room i learned about active recon, web app attacks and privilege escalation.
:::
## Reconnaissance using nmap
:::info
In this section of the room, i gather information about the target machine using a network scanning tool called **nmap**.
:::
nmap is a free, open-source and powerful tool used to discover hosts and services on a computer network. In this example, i'm using nmap to scan the target machine to identify all services that are running on a particular port. Nmap has many capabilities, below is a table summarising some of the functionality it provide :
I decided to run the command `nmap -sV` to determine the version of the services running. Here the result :
Through this result we observe that :
- 6 ports are open
- the squid proxy is running on the machine with version **3.5.12**
- the most likely operating system this machine is running is **Ubuntu**
- the web server is running on the port 3333
## Locating directories using GoBuster
:::info
In this section of the room, using a fast directory discovery tool called **GoBuster** i will locate a directory that i can use to upload a shell to.
:::
GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, i will focus on using it to brute-force directories. GoBuster has many capabilities, below is a table summarising some of the functionality it provide :
I first start of by scanning the website to find any hidden directories. To do it i have to associate a wordlist with GoBuster to enable the tool to btute-force directories. We can find many wordlists under ***/usr/share/wordlists***.
we will use the command `gobuster dir -u http://<ip>:<port> -w <word list location>`.
Here is the result of the command :
Through this result, I browsed the website by putting directly in the URL these directories and I discovered that there was a way to make upload in the `/internal` directory.
## Compromising the webserver using BurpSuite and reverse-shell
:::info
In this section of the room, now i have found a form to upload files, i can leverage this to upload and execute a payload that will lead to compromise the web server
:::
I started by trying to upload a simple php file but it was not allowed.
To identify which extensions are not blocked, i choose to fuzz the upload form. To do this, i use **BurpSuite**. BurpSuite, a framework of web application pentesting tools, is widely regarded as the de facto tool to use when performing web app testing. I'm going to use the *`Intruder`* section of BurpSuite (used for automating customised attacks).
To begin, i make a wordlist with the following extensions in :
> - .php
> - .php3
> - .php4
> - .php5
> - .phtml
Now i have to make sure BurpSuite is configured to intercept all the browser traffic. I upload a file, once this request is captured, i send it to the Intruder. In intruder, i find the filename, select the `Sniper` attack type and add the extension like shown in the figure :
After that, i click on `Payloads` and add the different extensions to test with and start the attack :
:::success
After running the attack, i discovered that the `.phtml` extension was allowed.
:::
Now i know what extension i can use for my payload i can progress.
I am going to use a ***PHP reverse shell*** as my payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to me. So i'll listen for incoming connections, upload and have my shell executed which will beacon out to me to control!
### To gain remote access to this machine, I follow these steps :
1. I download the following reverse PHP shell [here](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) and i edit the ip to be mine :
2. I rename the file in `.phtml` to allow me to upload it in the web app :
3. I listen to incoming connections using netcat running the following command :
`nc -lvnp 1234`.
Note that *`1234`* is the port configured in the php-reverse-shell file.
4. I upload the shell and navigate to `http://<ip>:3333/internal/uploads`
5. I click on the file to execute the payload. In my terminal, i see this output which is a connection in my netcat session:
6. 
:::success
I finally managed to access this machine remotely!!!
:::
## Privilege Escalation
Now I have compromised this machine, i am going to escalate my privileges and become the superuser (root).
### Make the terminal easier to use
Currently i managed to access the machine remotely but the terminal is difficult to use. These following steps show how to make the terminal easier to use :
1. type this command `python -c "import pty;pty.spawn('/bin/bash')"`
2. type `CTR+Z`
3. type `stty raw -echo`
4. type `fg`
5. type `export TERM=xterm`
:::info
After doing this, the terminal will be easier to use and will be like your own in your pc.
:::
Now i will try to escalate my privileges and become the superuser (root)
:::info
In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).
For example, the binary file to change your password has the SUID bit set on it `(/usr/bin/passwd)`. This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.
:::
I start by searching for all **SUID files** on the system by running this command :
`find / -perm -4000 2>/dev/null`
After comparing the results with the result of this same command on my own machine, I realized that it was strange that there is the file *`/bin/systemctl`* among the SUID files. I think it's not normal that it's here. So I'm going to try to exploit it and see if i can escalate my privileges.
### Escalate my privileges
To do it, i follow these steps :
1. I first visit the **[GTFOBins](https://gtfobins.github.io/)** site. GTFOBins is a curated list of Unix binaries that can used to bypass local security restrictions in misconfigured systems.
2. I search for `systemctl` and click on it
The description of the systemctl research on GTFOBins suggests that :
:::danger
If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor
:::
As I thought, we can exploit this configuration error and escalate my privileges.
3. I copy the exemple of code avalaible on the site to escalate my privileges :
```
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
```
Before running the code i display my id :
4. I run the code in the terminal
5. Now i run the command `bash -p` to become root
:::success
I HAVE NOW THE PRIVILEGES OF THE SUPERUSER OF THE MACHINE.
END !!!
:::
Sign in with Wallet
Connect another wallet