Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Vulnversity

Another room from TryHackMe and it’s called Vulnversity. The description is as follows: Learn about active recon, web app attacks and privilege escalation. As always I try to solve this puzzle and while doing so answer the questions from TryHackMe.Let’s start with the enumeration.

Enumeration

In the room there is a lot of useful information about nmap, so I’m going to run my scan and skip the explaining part.

A lot of open ports.

  • 21 | FTP (vsftpd 3.0.3)
  • 22 | SSH (OpenSSH 7.2p2 ~ Ubuntu version)
  • 139 | Samba (smbd 3.x – 4.x)
  • 445 | Samba (smbd 4.3.11)
  • 3128 | HTTP Proxy (Squid proxy 3.5.12)
  • 3333 | HTTP webserver (Apache 2.4.18)

First 2 services need credentials and the vsftpd version is not the one with the backdoor (too bad LoL). So let’s start with some low hanging fruit.

Webserver

The room gives information about the use of GoBuster. This is an excellent tool to enumerate a webserver, but personally I prefer DirSearch.

When scanning don’t forget to specify the port number, because most tools will try and scan the default port.

Several folders are found, /internal/ is the one we’re after.

The page shows a upload folder which I tested with an jpg file from the internet. No go. Did the same with other popular files like gif, png and of course php. All were rejected. There is a compilation of very useful wordlists called SecLists. Nowadays it’s part of the default lists of Kali, but if your Kali or a different OS doesn’t have it, it can be found here. To fuzz the webpage I’m going to use BurpSuite. It got a nice feature called intruder which can do the job for me in an automated fashion.

First I upload a file (doesn’t really matter which file) and capture the request with your BurpSuite proxy. After you captured it, send it to the intruder and clear all positions. After that only mark the extension and don’t forget to include the dot (.). Or else you will have two dots in the input.

Load the wordlist and don’t forget to disable the encode options. If you forget this, you will not have the proper result as your filename will be “file%2ephp”, which won’t work. After this you can start the attack.

Every entry results in a HTTP code 200, which makes sense as your get a valid response from the server, just not the one you look for. So how can you tell which one is different? By the length of the response. It will be different from the others as it won’t have the error message.

Now we know which extension will pass. Time to upload a file which contains a payload for a reverse shell. A good one to use is from pentestmonkey. The only thing to change after you download it, is the IP address and the port which it needs to connect to.

You can find your current IP address by typing the command ip a

Escalation of Privilege

After we upload the file, we start a listener.

Find the uploaded file.

And click on the file.

And we’re in. Our next move is to see if we have access to the user his home folder.

Yes we have.

The file user.txt is world readable, so that one is done. Now for the escalation of privilege. For a lot of CTF based challenges a good find are files with the SUID bit set.

An explanation of this command I gave a writeup earlier ago, but in short I searched for all files with the SUID bit set (perm 4000) and looked who the owner is. Because of the SUID bit, I can execute the program with the rights of the owner. The file that stands out is a file which is created recently (also a good indication).

/bin/systemctl

Systemctl is a controlling interface and inspection tool for the widely-adopted init system and service manager systemd. Systemd in turn is an init system and system manager that is widely becoming the new standard for Linux machines. So what can we do with systemctl?

Systemd initializes user space components that run after the Linux kernel has booted, as well as continuously maintaining those components throughout a system’s lifecycle. These tasks are known as units, and each unit has a corresponding unit file. We can create our own unit file and let systemd start it. Normally systemctl will look for unit files in the default folder, which is /etc/system/systemd. But we don’t have the permission to write to that folder. So how can we create an unit file and let systemctl start it? We use an enviroment variable.

First we create a variable which holds a unique file.

Then we create an unit file and write it into the variable.

Inside the unit file we entered a command which will let shell execute the command cat and redirect the output of cat to a file called output in the folder tmp. And finally we use the /bin/systemctl program to enable the unit file.

Let’s see if it worked….

There is a file called output.

And there you have it. The output of root.txt. To not give away the final flag, I left out most of the hash so you need to get it yourself.

9 thoughts on “Vulnversity

  1. Beautiful and extensive show of skill. But I can kill myself right here for the privesc part. I feel like everything up to that last point was a walk through the park but escalation is like a Linux powered Space Ship. I I really really need to try much much harder. (and I will) but still… great job man!

  2. Hello,

    Thanks for the details. I have followed all the steps but I am failing when started the service. I am getting following error:

    Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.xCT0WUJbRI.service to /tmp/tmp.xCT0WUJbRI.service.
    Failed to start tmp.xCT0WUJbRI.service: Unit tmp.xCT0WUJbRI.service is not loaded properly: Invalid argument.

    Any help is much appreciated.

    1. “Failed to start tmp.xCT0WUJbRI.service: Unit tmp.xCT0WUJbRI.service is not loaded properly: Invalid argument.”

      This error is probably telling you there is something in your systemd unit file that is not valid and giving some issues.
      You could use: sudo systemd-analyze verify tmp.xCT0WUJbRI.service to debug the issue.

  3. Great write up and excellent explanation of the privesc. For anyone having the same problem as Sai : Check that you have entered the commands EXACTLY as specified i.e. make sure everything that is capatilized in the example is so in your entries. That solved the problem for me.

  4. Loved the write-up!
    I use Terminator but I loved how colorful for screen was and I was hoping if you could tell me how to do that. I will help me in reading the results and in privilege escalation.
    Thanking you in advance!

    1. Hey Jagga, I’m using terminator also, but how it looks on this website is because of the used plugin.
      If I would have this output in my terminal it would show different.

  5. Excellent write up. Thank you for producing it, helped me with the privesc no end!!
    Off the back of the last question, I have just started to enjoy using TMUX. (it might not make me a better person, but at least it impresses the wife when she walks past!!)
    Is terminator any better? Not seen much discussion on tryhackme about this?

    1. There are so many terminals you can choose from.
      I really think it’s not a matter of better, just more of which you like better.
      I prefer Terminator because it’s very flexible, it’s open-source and to be honest I know the short-keys by heart.
      Also the logging function of Terminator is nice when doing CTF’s.
      Tmux is also very nice and has similar functions like Terminal.
      It probably has even some more features as it has similar functionalities as Screen and you can write scripts for it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.