Skip to main content

TryHackMe - Vulnversity

 TryHackMe - Vulnversity



1. Task 1 can be completed by download the VPN file provided by tryhackme and running openvpn upon it with the given command: sudo openvpn <filename>



Task 2 - Begins

2. The next step is to scan the network. I performed an aggressive scan using nmap and since it would be too slow I sped it up using timing as 4.


3. This provided us with the number of ports open as 6 which will be used in our task 2. It also gave us the version of squid proxy running which is 3.5.12. 


4. The next questions answer is 400. Let me explain why. -p is used to provide port/s to scan. This can be provided as a number, some comma separated numbers or a range. -p-400 is same as -p 1-400. This shows that ports 1 through 400 would be scanned.


5. The next answer is DNS. This can be seen in the man page of nmap. Open it using the command man nmap. The press forward slash (/) for searching. Then type -n and press enter. Remember this trick to search for something in man pages.


6. This maching is running ubuntu. This can be seen in its nmap scan.


7. Web server is running on port 3333. This is also shown in the nmap scan. The name of the web server is Apache httpd 2.4.18.



Task 3 - Begins

8. The next challege is to locate hidden directories and files on the server. This can be done using GUI tools such as dirbuster or CLI tools such as gobuster, ffuf, etc.


9. For this I first tried ffuf and then also tried gobuster since thats what the challenge wants us to use. So lets do that. The command used here is: gobuster dir -u http://10.10.40.215:3333 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt


10. Checking them one by one I found an upload form on /internal. Thats the answer to our task 3. The upload form can be seen on the url: 10.10.40.215:3333/internal



Task 4 - Begins

11. The next step is to check which file extension/s is allowed to be uploaded to the form. For this we'll use BurpSuite.

12. So we'll capture the request and send it to intruder. Here we'll set our position as shown below.


13. I've also created a file with lots of extensions to check against this position. This will be uploaded into the payload section.



14. Then we'll run our attack and check for any varying results under the length section.



15. So we have received a length of 723 against phtml which is the only different one here. You can also check there responses if you want to.





16. Now we know that phtml is the only extension which is allowed to be uploaded. This information answers some of our questions of task 4.

17. Now we'll upload a php reverse shell and connect to it.

18. For this we'll edit the php-reverse-shell.php file located in /usr/share/webshells in kali. This can also be downloaded from pentestmonkey. The required editing pertains to changing the default IP address given in the file with your own ip addresess. This location can be easily discovered by searching for the string "change this". You can get your ip address by using the following command: ifconfig.


19. After this change its extension to .phtml as its the only allowed extension to be uploaded.

20. Finally upload this file on the page.

21. In order to get back our connection we need to setup a listener on our system. This can be done using netcat with the following command: nc -lvnp 1234

22. After this, use your browser or curl and visit the location http://<target_ip>:3333/internal/uploads/<filename.phtml>

23. If everything is done correctly then this will redirect us to a shell which can be seen in the terminal



24. After this cd to the home directory and here you'll see the name of the user who manages the server. Another answer in task 4.

25. And inside that directory is the last answer of task 4: 8bd7992fbe8a6ad22a63361004cfcedb.



Task 5 - Begins

26. Now we are required to search for all files which have SUID bit set. This can be done with the following command: find -perm -u=s 2>/dev/null

27. After this we are required to look for a suspicious file. One way of finding this is to run the above command in your own system and then compare both results. The answer is /bin/systemctl

28. Now what SUID bit means is that the file would requires admin privileges for a part of its functioning. Not the whole file but a small part of it requires admin privileges. Searching on google I came across this article which helped me in escalating my privileges.


29. The article explains that we will be creating a service file and then ask systemctl to run it for us. In this file we'll ask for admin privileges and since the systemctl file has SUID bit set it will be allowed to do so.


30. Now I created a new directory using the following command: mktemp -d


31. Then I created a new file (lets say file.service) and pasted the code in it. This code provides us with a reverse shell. So we have to start our listener service in order to receive it. The command for it is: nc -lvnp 9999



32. Then I followed the next two lines of the article and got the reverse shell.


33. The last step is to cd to the root directory and cat the only file there.


Congratulations, you've completed the challenge and thanks a lot for reading my article. Let me know if you need any clarification on any of the step.

Labels:

Comments

Post a Comment

Popular posts from this blog

Hacktober CTF - Writeup

  HACKTOBER CTF   This post contains the writeups for: l  Crypto n  Hail Caesar n  Down The Wrong Path l  Forensics n  Captured Memories n  Amcaching In n  Prefetch Perfection n  Prefetch Perfection 2 l  Linux n  Talking to the dead 1 n  Talking to the dead 2 l  Programming n  Message in an array n  Trick or treat l  Steganography n  You believe in ghosts n  Start digging n  Blasphemy   1 OSINT         n Creeping 1        n  Creeping 2         n Creeping 3         n Past Attacks       Hail Caesar In this question we have to decrypt TGG KUSJWV QGM and the question gives us a hint that its a caesar cipher. Although we don’t know the key but we really don’t need one for this. Loading it up in dcode gives us the answer as BOO SCARED YOU   And thus the flag is flag{ BOO SCARED YOU }           Down The Wrong Path The given image shows a transposition cipher.   So reading it in a similar fashion results in this message: REMEMBER TO TELL SPOOKYBOI ABOUT THE NEW TARGETS OF OUR NEXT ATTACK   So
2 comments
Read more

CyberYoddha CTF - Writeup

  This blog post contains the writeups for the following challenges :- Misc Lorem Ipsum Forensics Image Viewer The row beneath What's the password Steg 2 Steg Ultimate Cryptography Beware the Ides of March Sus Reverse Engineering Password 1 Trivia Trivia 1 Trivia 3 Trivia 4 Trivia 5 Trivia 7 Trivia 8 LOREM IPSUM The given text when googled will give you the original text and you'll realise that the given text has some additional characters attached to some words. Lorem ipsum dolor/c/ sit amet, consectetur/y/ adipiscing /c/elit, sed do/t/ eiusmod tempor inci/f/didunt ut labore et dolore magna aliqua/l/. Ut enim ad minim/a/ veniam, quis/t/ nostrud exercitation ullamco/i/ laboris nisi/n/ ut aliquip ex ea/i/ commodo/s/ consequat. Duis /c/aute irure dolor in reprehenderit in voluptate velit /o/esse cillum dolore eu fugiat nulla pariatur. Excepteur /o/sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim /l/id est laborum. Extracting all these character
2 comments
Read more

C4ptur3-th3-fl4g Walkthrough

TryHackMe c4ptur3-th3-fl4g Walkthrough Task - 1 Translation and Shifting Question 1 -  c4n y0u c4p7u23 7h3 f149? Solution -  This one's quite simple. This is called leet in which the text is written with modified spellings with the help of numbers in place of some characters. The answer for this one is - can you capture the flag? Question 2 -  01101100 01100101 01110100 01110011 00100000 01110100 01110010 01111001 00100000 01110011 01101111 01101101 01100101 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01101111 01110101 01110100 00100001 Solution -  This is written in binary as you can see that every set of 1's and 0's (separated by space) is a string of 8 numbers. So you can use any online resource such as  rapidtables  to convert binary to ascii. The answer for this is -  lets try some binary out! Question 3 -  MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM====== HINT :  Having an equal sign at the end of
Post a Comment
Read more