TryHackMe – Vulnversity Walkthrough

January 17, 2021 | by Stefano Lanaro | 2 Comments

Introduction

This room is part of the TryHackMe’s Offensive Pentesting learning path, which is something a lot of people use when preparing for their OSCP exam. This was one of the first rooms and it involved attacking a web application exploiting a file upload functionality, bypassing file extension whitelisting, and exploiting a SUID binary to escalate privileges.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

-sV to enumerate applications versions

Enumerating Port 3333

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

dir to specify the scan should be done against directories and files
-u to specify the target url
-w to specify the word list to use
-x to specify the extensions to enumerate
-t to specify the number of concurrent threads

After a few minutes an “/internal” entry was found:

When navigating to the /internal page, it takes to a file upload page:

File Upload Exploitation

Copying a PHP reverse shell to the working directory and updating the IP address and port based on the local machine

It appears the .php extension is not allowed

Creating a simple word list with a few common PHP related extensions to test out of any of them will work:

Uploading a new file, but this time capturing the request using Burp Suite

Configuring an intruder attack using the word list previously created in order to determine which extensions might work:

When the intruder attack has finished running, this shows the .phtml extension will work, judging by the “Success” response

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

-l to listen for incoming connections
-v for verbose output
-n to skip the DNS lookup
-p to specify the port to listen on

When navigating to the uploaded shell which is in the /uploads directory, this should connect to the listener and grant a reverse shell

It appears this worked, as a reverse shell connection has been established:

Privilege Escalation

When checking for SUID binaries, /bin/systemctl stands out as it is not a standard SUID binary:

GTFOBins explains in great detail how this can be exploited to escalate privileges to root:

Following the same steps outlined in GTFOBins to create a SUID bash binary

This binary can then be executed with the -p flag to escalate to root:

Conclusion

Even though this box doesn’t bring anything new to the table, it is definitely a good way to practice and consolidate your web application penetration testing skills when planning to take on the OSCP exam.

2 comments


Josephine Clegg

March 5, 2022 at 1:52 pm

I like what you guys are usually up too. This kind of clever work and reporting!

Keep up the very good works guys I’ve you guys to
blogroll.
- Reply
  
  Stefano Lanaro
  
  April 10, 2022 at 8:17 am
  
  Thank you very much!