Vulnversity

Nmap Scan

Below are the nmap scan results.

We see there is a web server running on port 3333. Let us have a look at it.

We come across a simple university website. The buttons don't work, viewing the source doesn't reveal anything useful, and it does not have a robots.txt file.

I'll use gobuster to see if I can find any hidden directories or files.

gobuster dir -u http://10.10.206.186:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak,zip -t 50

We come across a page named /internal.

When we browse to it, it asks us to upload a file.

Let us attempt to upload a php reverse shell and see what happens.

We get an error message stating that the extension is not allowed. To identify which extensions are not blocked, we're going to fuzz the upload form using burpsuite. The following image will contain our payload.

After carrying out the attack using Burp Intrueder, I discover that the extension .phtml yields a success message. I will therefore rename my php reverse shell with that extension and try re-uploading it to see if I can compromise the web server. I will also set up my listener to catch any connections.

Navigating to /internal/uploads/reverse.phtml executes my reverse shell and I get a connection back.

Web server compromised

Using the command below, I can search for all SUID files.

find / -user root -perm -4000 -exec ls -ldb {} \;

SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

Refer to:

Logosystemctl | GTFOBinsgtfobins.github.io

The text below is pasted from a walkthrough.

The systemctl file looks interesting.

systemctl is a binary that controls interfaces for init systems and service managers. Remember making your services run using the systemctl command during the boot time. All those tasks are handled as units and are defined in unit folders. By default systemctl will search these files in /etc/system/systemd.

For this machine we do not have access to the paths owned by root and by so we can't made the unit file. Although we can set environment variables. So let's do the PrivEsc.

Meanwhile the best reference is here!

The first thing we need to is create an environment variable!

Now we need to create a unit file and assign this to the environment variable.

What we have done here is to simply create a service which will be executing "BASH", then reading the flag from the root directory and then writing it in the flag (file) in /opt directory.

Now we need to run this unit file using systemctl.

Now we can find the "flag" file in the /opt directory containing the flag!

And boom, we executed commands as root!

PreviousTry Hack Me WalkthroughsNextSimple CTF

Last updated

Was this helpful?