TryHackMe – Vulnversity Walkthrough
Introduction
This room is part of the TryHackMe’s Offensive Pentesting learning path, which is something a lot of people use when preparing for their OSCP exam. This was one of the first rooms and it involved attacking a web application exploiting a file upload functionality, bypassing file extension whitelisting, and exploiting a SUID binary to escalate privileges.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sV to enumerate applications versions
Enumerating Port 3333
The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:
- dir to specify the scan should be done against directories and files
- -u to specify the target url
- -w to specify the word list to use
- -x to specify the extensions to enumerate
- -t to specify the number of concurrent threads
After a few minutes an “/internal” entry was found:
When navigating to the /internal page, it takes to a file upload page:
File Upload Exploitation
Copying a PHP reverse shell to the working directory and updating the IP address and port based on the local machine
It appears the .php extension is not allowed
Creating a simple word list with a few common PHP related extensions to test out of any of them will work:
Uploading a new file, but this time capturing the request using Burp Suite
Configuring an intruder attack using the word list previously created in order to determine which extensions might work:
When the intruder attack has finished running, this shows the .phtml extension will work, judging by the “Success” response
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
When navigating to the uploaded shell which is in the /uploads directory, this should connect to the listener and grant a reverse shell
It appears this worked, as a reverse shell connection has been established:
Privilege Escalation
When checking for SUID binaries, /bin/systemctl stands out as it is not a standard SUID binary:
GTFOBins explains in great detail how this can be exploited to escalate privileges to root:
Following the same steps outlined in GTFOBins to create a SUID bash binary
This binary can then be executed with the -p flag to escalate to root:
Conclusion
Even though this box doesn’t bring anything new to the table, it is definitely a good way to practice and consolidate your web application penetration testing skills when planning to take on the OSCP exam.
I like what you guys are usually up too. This kind of clever work and reporting!
Keep up the very good works guys I’ve you guys to
blogroll.
Thank you very much!