TryHackMe – Vulnversity

1. Task 1 can be completed by download the VPN file provided by tryhackme and running openvpn upon it with the given command: sudo openvpn <filename>

Task 2 – Begins

2. The next step is to scan the network. I performed an aggressive scan using nmap and since it would be too slow I sped it up using timing as 4.

3. This provided us with the number of ports open as 6 which will be used in our task 2. It also gave us the version of squid proxy running which is 3.5.12. 

4. The next questions answer is 400. Let me explain why. -p is used to provide port/s to scan. This can be provided as a number, some comma separated numbers or a range. -p-400 is same as -p 1-400. This shows that ports 1 through 400 would be scanned.

5. The next answer is DNS. This can be seen in the man page of nmap. Open it using the command man nmap. The press forward slash (/) for searching. Then type -n and press enter. Remember this trick to search for something in man pages.

6. This maching is running ubuntu. This can be seen in its nmap scan.

7. Web server is running on port 3333. This is also shown in the nmap scan. The name of the web server is Apache httpd 2.4.18.

Task 3 – Begins

8. The next challege is to locate hidden directories and files on the server. This can be done using GUI tools such as dirbuster or CLI tools such as gobuster, ffuf, etc.

9. For this I first tried ffuf and then also tried gobuster since thats what the challenge wants us to use. So lets do that. The command used here is: gobuster dir -u http://10.10.40.215:3333 –wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

10. Checking them one by one I found an upload form on /internal. Thats the answer to our task 3. The upload form can be seen on the url: 10.10.40.215:3333/internal

Task 4 – Begins

11. The next step is to check which file extension/s is allowed to be uploaded to the form. For this we’ll use BurpSuite.

12. So we’ll capture the request and send it to intruder. Here we’ll set our position as shown below.

13. I’ve also created a file with lots of extensions to check against this position. This will be uploaded into the payload section.

14. Then we’ll run our attack and check for any varying results under the length section.

15. So we have received a length of 723 against phtml which is the only different one here. You can also check there responses if you want to.

16. Now we know that phtml is the only extension which is allowed to be uploaded. This information answers some of our questions of task 4.

17. Now we’ll upload a php reverse shell and connect to it.

18. For this we’ll edit the php-reverse-shell.php file located in /usr/share/webshells in kali. This can also be downloaded from pentestmonkey. The required editing pertains to changing the default IP address given in the file with your own ip addresess. This location can be easily discovered by searching for the string “change this”. You can get your ip address by using the following command: ifconfig.

19. After this change its extension to .phtml as its the only allowed extension to be uploaded.

20. Finally upload this file on the page.

21. In order to get back our connection we need to setup a listener on our system. This can be done using netcat with the following command: nc -lvnp 1234

22. After this, use your browser or curl and visit the location http://<target_ip>:3333/internal/uploads/<filename.phtml>

23. If everything is done correctly then this will redirect us to a shell which can be seen in the terminal

24. After this cd to the home directory and here you’ll see the name of the user who manages the server. Another answer in task 4.

25. And inside that directory is the last answer of task 4: 8bd7992fbe8a6ad22a63361004cfcedb.

Task 5 – Begins

26. Now we are required to search for all files which have SUID bit set. This can be done with the following command: find -perm -u=s 2>/dev/null

27. After this we are required to look for a suspicious file. One way of finding this is to run the above command in your own system and then compare both results. The answer is /bin/systemctl

28. Now what SUID bit means is that the file would requires admin privileges for a part of its functioning. Not the whole file but a small part of it requires admin privileges. Searching on google I came across this article which helped me in escalating my privileges.

29. The article explains that we will be creating a service file and then ask systemctl to run it for us. In this file we’ll ask for admin privileges and since the systemctl file has SUID bit set it will be allowed to do so.

30. Now I created a new directory using the following command: mktemp -d

31. Then I created a new file (lets say file.service) and pasted the code in it. This code provides us with a reverse shell. So we have to start our listener service in order to receive it. The command for it is: nc -lvnp 9999

32. Then I followed the next two lines of the article and got the reverse shell.

33. The last step is to cd to the root directory and cat the only file there.

Congratulations, you’ve completed the challenge and thanks a lot for reading my article. Let me know if you need any clarification on any of the step.