TryHackMe: Vulnversity Write ups By Md Mirajul Haque Miraj || MirajulHaque || Security Path

Note: The write-ups written only for Educational Purposes. All the credits go to TryHackMe for making this room. Please try and try yourself before reading this write-up. Thanks. Let’s get STARTED…

Task 1: Deploy the machine

⇒

Task 2: Reconnaissance

Let’s gather information about the target following the instruction, using nmap…

⇒ we found 6 open ports including SSH. Let’s jump on questions…

🔒 Scan the box; how many ports are open?

🔑 6

🔒 What version of the squid proxy is running on the machine?

🔑 3.5.12

🔒 How many ports will Nmap scan if the flag -p-400 was used?

⇒ if we use -p-400 like below

⇒ Then nmap will scan only the first 400 ports, here is the result for using this command

🔑 400

🔒 What is the most likely operating system this machine is running?

🔑 Ubuntu

🔒 What port is the web server running on?

⇒ Apache is the server and open service is http.

🔑 3333

🔒 What is the flag for enabling verbose mode using Nmap?

🔑 -v

Task 3: Locating Directories using Gobuster

To find the directory use the command below, we found HTTP on port 3333…

⇒ Yeah we got something, let’s jump on the question…

🔒 What is the directory that has an upload form page?

⇒ We need to visit every directory, to identify the upload form page, let’s do it one by one…

⇒ Here we go, found this one.

🔑 /internal/

Task 4: Compromise the Webserver

⇒ We usually upload .php files to exploit, right?

🔒 What common file type you’d want to upload to exploit the server is blocked? Try a couple to find out.

🔑 .php

⇒ But after trying we found this is not allowed here, let’s check for more using the tool name BurpSuite.

⇒ Before intercepting I am going to make a wordlist following the instructions using a tool named …

~$

⇒ A new window should open, then press on the ‘Insert’ button and start typing the extensions mentioned on the task content, like below…

⇒ Then press on the ‘Esc’ button, then type colon (:) and wq (w for write and q for quit)

⇒ Now open burpsuite and intercept the upload request,

⇒ Send it to Intruder and set the attack type to sniper, then add a target point to extension for our purpose it is ‘.jpg’ ↓↓

⇒ Select the ‘Payloads’ option and load the file we created named phpextensions.txt then click on ‘Start Attack button’

Note: Don’t forget to uncheck the ‘URL-encode these characters’ option before starting the attack.

⇒ Result ↓↓

⇒ We found .phtml with different lengths, that should work or this extension is allowed…

🔒 Run this attack, what extension is allowed?

🔑 .phtml

⇒ It’s time to download the reverse shell following the link given on the task content. and change the extension .php to .phtml. (Because only .phtml extension is allowed)

⇒ Another tab on the terminal and type and hit enter

⇒ open it with any word-processing or editing tool, like vim and edit the ip ‘127.0.0.1’ to ‘10.4.42.77’

⇒ Upload it

⇒ Successfully uploaded

⇒ Now open netcat listener with command below

~$

⇒ visit the link ↓↓

http://10.10.194.205:3333/internal/uploads/php-reverse-shell.phtml

⇒ now check the terminal where you ran command

🔒 What is the name of the user who manages the webserver?

⇒ We got a terminal, let’s find out the user

⇒ Hit this command below to read the users list

~$

Note: You may check also the home directory before reading /etc/passwd

🔑 bill

🔒 What is the user flag?

⇒ see the hints

⇒ Let’s go and check the /home/bill directory

🔑 8bd7992fbe8a6ad22a63361004cfcedb

Task 5: Privilege Escalation

🔒 On the system, search for all SUID files. Which file stands out?

⇒ See the hint ⇒ Run the command ↓↓

~$

⇒ Explanation

• → Command for searching something

• → Specifying from where one should start. only means from home or root. if say then it will show the result from the directory

• → Indicates that the search should be limited to files owned by the user 'root'.

• → Specifies the search condition based on file permissions. Here, it looks for files with the SUID bit set (permission mode 4000).

• → Executes the command on each file found by the command. lists files in a long format and escapes special characters for better visibility. The represents each found file, and marks the end of the command.

⇒ We found

⇒ Now go to: https://gtfobins.github.io/# and check each to find out which file has the SUID functionality.

→ su = sudo → mount = sudo → systemctl = SUID

⇒ So the answer should be

🔑 /bin/systemctl

⇒ Now important part is what is SUID and why it is useful to access upper-privileged files?

== SUID means Set User ID. When a file gain the SUID permission, it allows any user to execute the file with the permissions of the file owner. For example, if a file owned by the root user has the SUID bit set, any user executing that file will temporarily gain the root user’s permissions.

🔒 Become root and get the last flag (/root/root.txt)

⇒ Visit the systemctl file we found on gtfobins website

⇒ See the marked code carefully

⇒ Now, need to change a bit following our question, and after changing the code should be like below ↓↓

⇒ Then go to /bin/ directory and paste the above code

~$ cd /bin/

⇒ Then use these commands one by one

~$

~$

~$

🔑 a58ff8579f0a9270368d33a9966c7fd5

~Thanks For Reading~

~Have a GooD DaY~