Challenges

TryHackMe: Vulnversity Walkthrough

In this post, I would like to share a walkthrough on Vulnversity room from TryHackMe. For this room, you will learn about “how to abuse Linux SUID”

For those are not familiar with Linux SUID, it’s a Linux process that will execute on the Operating System where it can be used to privilege escalation in order the attacker to execute with the root permission level.

For those who are still blurred on the Linux SUID, I will guide you during the challenges.

Let’s Start!

As usual, we need to deploy the machine in order to play this room. It will take a few minutes for it to be fully started.

Once the machine has fully stared, we need to run a Reconnaissance phrase in order to see what’s been installed in the system by executing the command as follows:

nmap -sV -sC -A -T4 <IP Address> -PN

From the output above, I have noticed that 6 port is open while 1 port is filtered. Aside of that, i also found the following information as belows:

  • 21: csftpd 3.0.3
  • 22: OpenSSH 7.2p2 Ubuntu 4ubuntu2.7
  • 139: Samba smbd 3.x-4.x
  • 445: Samba smbd 4.3.11-Ubuntu
  • 3128: Squid http proxy 3.5.12
  • 3333: Apache httpd 2.4.18

How many ports will nmap scan if the flag -p-400 was used?

The answer: 400

Using the nmap flag -n what will it not resolve?

The answer:

Let’s run the dirbuster for us to enumerate the directory that been implemented within the website. The command that can be used for this phrase is dirb http:<IP Address>: <Port>

The output for the phrase can be seen in the screenshot below

I have found out that the website have internal/ directory been installed in the website. Let’s dig into that website to look anything suspicious that we can use for further activity

What type of file that can be upload on this page? Hmmm.

We know that this website use .php source code and i assume that the php shell can be used.

And the result that we get is not very encouragement at all!

If php files cannot be upload here, let’s try upload the php shell using .phtml

And the result is:

Oh wow! We have successfully upload the shell but the question now is that where the file is been stored in the website.

Let’s see the output from the dirb again to check if there’s anything that we can use to find the location of file which just been uploaded.

I did found out one suspicious directory which is /internal/uploads

Let’s us see that website’s directory

Before clicking the shell, we need to start the command nc -lvnp 9007 in order the to get the the shell’s connection back.

Now, let click the shell on the website and see if the connection came back to us

Let’s see who are the user for this machine beside root by going to /home/

We only can see the username “bill” that appear on the /home/ directory that lead to assumption that bill might be the one who manage the webserver.

Let’s see what is been stored in the bill directory

For us to get the user flag on this machine, we need to read what’s written inside user.txt

Now, we need to find the root flag on the machine by locate the weird SUID permission file

We didn’t find any weird SUID permission file by using the command above. Maybe we need to see if i’m running the right command. No shame to look into the hint that provided by TryHackMe

find / -user root -perm -4000 -exec ls -ldb {} \;

For my point of view, systemctl can be considered as an weird SUID permission file. Once that been decided, we can see the exploit command that we can use for this activity by going to GTFOBins

We need to read the command that used SUID permission command as below

From command above, we only need to change the following line and we are good

ExecStart=/bin/sh -c “chmod +s /bin/bash”

and replace all ./systemctl to /bin/systemctl

We should be logging as root if it’s a successfully executed with bash -p

We have access the machine via root privileges access.

Once we get root privileges, we can run the cd /root and after we have access to the directory, we can see the root.txt by running the command ls

We need to read the root.txt by using the command cat root.txt

-THE END-

Happy Learning Guys!