• TryHackMe: Cyber security training through short, gamified, real-world labs. Content for complete beginners and seasoned hackers.

= Headline 6 =

Write-Ups: n0w4n

Mine:

nmap -vv -p- -sV -A [IP]

n0w4n's:

nmap -n -T4 -sS -sV -sC -oN nmap/portscan -p- 10.10.207.138

Brute-force directories & files, DNS subdomains, and virtual host names.

    apt-get install gobuster
    wordlists under /usr/share/wordlists
    Syntax: gobuster dir -u http://<ip>:3333 -w <word list location>
    -e                Print the full URLs in your console
    -u                The target URL
    -w                Path to your wordlist
    -U and -P         Username and Password for Basic Auth
    -p <x>            Proxy to use for requests
    -c <http cookies> Specify a cookie for simulating your auth

n0w4n: Used DirSearch

dirsearch -u http://10.10.207.138:3333 -e php -x 400,404

Burp Suite Intruder: Fuzz the /internal/ directory to see what kinds of file extensions it will allow you to upload.

n0w4n: Load the wordlist and don’t forget to disable the encode options. If you forget this, you will not have the proper result as your filename will be file%2ephp, which won’t work.

• I did that… and it didn't work.

Obtain an exploit reverse shell to upload: pentestmonkey

• You have to rename it .phtml to upload it.
• Upload it.
• Start a listener on your attack machine:

nc -lvnp 1234

# -l listener
# -v verbose
# -n numeric-only IPs, no DNS
# -p port (local port number)

Then execute the .phtml file on the target machine:

http:[IP]:3333/internal/uploads

n0w4n: For a lot of CTFs, a good find are files with the SUID bit set.

find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null

# -l long listing format
# -d list directory names, not contents

Or use PEASS: PrivilegeEscalation Awesom Scripts Suite

• Download
• Linpeas: Linux local Privilege Escalation Awesome Script (.sh)

Discovered Vulnerability: systemctl is SUID root

n0w4n: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE.

• First we create a variable which holds a unique file (on target machine).

• Then we create an unit file and write it into the variable.

• Inside the unit file we entered a command which will let shell execute the command cat and redirect the output of cat to a file called output in the folder tmp.

• And finally we use the /bin/systemctl program to enable the unit file.

• Find it:

To get a reverse root shell:

• Create your unit file:

• Open a listener on your attack machine:

• Link and start the service:

Done.