TryHackMe: Vulnversity Write ups By Md Mirajul Haque Miraj || MirajulHaque || Security Path
Note: The write-ups written only for Educational Purposes. All the credits go to TryHackMe for making this room. Please try and try yourself before reading this write-up. Thanks. Let’s get STARTED…
Task 1: Deploy the machine
⇒
Task 2: Reconnaissance
Let’s gather information about the target following the instruction, using nmap…
⇒ we found 6 open ports including SSH. Let’s jump on questions…
🔒 Scan the box; how many ports are open?
🔑 6
🔒 What version of the squid proxy is running on the machine?
🔑 3.5.12
🔒 How many ports will Nmap scan if the flag -p-400 was used?
⇒ if we use -p-400 like below
⇒ Then nmap will scan only the first 400 ports, here is the result for using this command
🔑 400
🔒 What is the most likely operating system this machine is running?
🔑 Ubuntu
🔒 What port is the web server running on?
⇒ Apache is the server and open service is http.
🔑 3333
🔒 What is the flag for enabling verbose mode using Nmap?
🔑 -v
Task 3: Locating Directories using Gobuster
To find the directory use the command below, we found HTTP on port 3333…
⇒ Yeah we got something, let’s jump on the question…
🔒 What is the directory that has an upload form page?
⇒ We need to visit every directory, to identify the upload form page, let’s do it one by one…
⇒ Here we go, found this one.
🔑 /internal/
Task 4: Compromise the Webserver
⇒ We usually upload .php files to exploit, right?
🔒 What common file type you’d want to upload to exploit the server is blocked? Try a couple to find out.
🔑 .php
⇒ But after trying we found this is not allowed here, let’s check for more using the tool name BurpSuite.
⇒ Before intercepting I am going to make a wordlist following the instructions using a tool named …
~$
⇒ A new window should open, then press on the ‘Insert’ button and start typing the extensions mentioned on the task content, like below…
⇒ Then press on the ‘Esc’ button, then type colon (:) and wq (w for write and q for quit)
⇒ Now open burpsuite and intercept the upload request,
⇒ Send it to Intruder and set the attack type to sniper, then add a target point to extension for our purpose it is ‘.jpg’ ↓↓
⇒ Select the ‘Payloads’ option and load the file we created named phpextensions.txt then click on ‘Start Attack button’
Note: Don’t forget to uncheck the ‘URL-encode these characters’ option before starting the attack.
⇒ Result ↓↓
⇒ We found .phtml with different lengths, that should work or this extension is allowed…
🔒 Run this attack, what extension is allowed?
🔑 .phtml
⇒ It’s time to download the reverse shell following the link given on the task content. and change the extension .php to .phtml. (Because only .phtml extension is allowed)
⇒ Another tab on the terminal and type and hit enter
⇒ open it with any word-processing or editing tool, like vim and edit the ip ‘127.0.0.1’ to ‘10.4.42.77’
⇒ Upload it
⇒ Successfully uploaded
⇒ Now open netcat listener with command below
~$
⇒ visit the link ↓↓
http://10.10.194.205:3333/internal/uploads/php-reverse-shell.phtml
⇒ now check the terminal where you ran command
🔒 What is the name of the user who manages the webserver?
⇒ We got a terminal, let’s find out the user
⇒ Hit this command below to read the users list
~$
Note: You may check also the home directory before reading /etc/passwd
🔑 bill
🔒 What is the user flag?
⇒ see the hints
⇒ Let’s go and check the /home/bill directory
🔑 8bd7992fbe8a6ad22a63361004cfcedb
Task 5: Privilege Escalation
🔒 On the system, search for all SUID files. Which file stands out?
⇒ See the hint ⇒ Run the command ↓↓
~$
⇒ Explanation
→ Command for searching something
→ Specifying from where one should start. only means from home or root. if say then it will show the result from the directory
→ Indicates that the search should be limited to files owned by the user 'root'.
→ Specifies the search condition based on file permissions. Here, it looks for files with the SUID bit set (permission mode 4000).
→ Executes the command on each file found by the command. lists files in a long format and escapes special characters for better visibility. The represents each found file, and marks the end of the command.
⇒ We found
⇒ Now go to: https://gtfobins.github.io/# and check each to find out which file has the SUID functionality.
→ su = sudo → mount = sudo → systemctl = SUID
⇒ So the answer should be
🔑 /bin/systemctl
⇒ Now important part is what is SUID and why it is useful to access upper-privileged files?
== SUID means Set User ID. When a file gain the SUID permission, it allows any user to execute the file with the permissions of the file owner. For example, if a file owned by the root user has the SUID bit set, any user executing that file will temporarily gain the root user’s permissions.
🔒 Become root and get the last flag (/root/root.txt)
⇒ Visit the systemctl file we found on gtfobins website
⇒ See the marked code carefully
⇒ Now, need to change a bit following our question, and after changing the code should be like below ↓↓
⇒ Then go to /bin/ directory and paste the above code
~$ cd /bin/
⇒ Then use these commands one by one
~$
~$
~$
🔑 a58ff8579f0a9270368d33a9966c7fd5