CTF Walkthroughs, TryHackMe

TryHackMe – Vulnversity Walkthrough

Introduction

This room is part of the TryHackMe’s Offensive Pentesting learning path, which is something a lot of people use when preparing for their OSCP exam. This was one of the first rooms and it involved attacking a web application exploiting a file upload functionality, bypassing file extension whitelisting, and exploiting a SUID binary to escalate privileges.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sV to enumerate applications versions

Enumerating Port 3333

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target url
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

After a few minutes an “/internal” entry was found:

When navigating to the /internal page, it takes to a file upload page:

File Upload Exploitation

Copying a PHP reverse shell to the working directory and updating the IP address and port based on the local machine

It appears the .php extension is not allowed

Creating a simple word list with a few common PHP related extensions to test out of any of them will work:

Uploading a new file, but this time capturing the request using Burp Suite

Configuring an intruder attack using the word list previously created in order to determine which extensions might work:

When the intruder attack has finished running, this shows the .phtml extension will work, judging by the “Success” response

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

When navigating to the uploaded shell which is in the /uploads directory, this should connect to the listener and grant a reverse shell

It appears this worked, as a reverse shell connection has been established:

Privilege Escalation

When checking for SUID binaries, /bin/systemctl stands out as it is not a standard SUID binary:

GTFOBins explains in great detail how this can be exploited to escalate privileges to root:

Following the same steps outlined in GTFOBins to create a SUID bash binary

This binary can then be executed with the -p flag to escalate to root:

Conclusion

Even though this box doesn’t bring anything new to the table, it is definitely a good way to practice and consolidate your web application penetration testing skills when planning to take on the OSCP exam.