TryHackMe Writeup-Vulnversity
Learn how to bypass upload restrictions on a web server and gaining root access with this TryHackMe technical walkthrough.
The walk-through goes through the “Vulnversity” room available on the TryHackMe platform. In my previous walkthroughs, we went through vulnerabilities in the operating system and in the different services that were running on the system. In this room, we are going to bypass upload restrictions on a web-server and through that we will gain our shell and escalate our privileges to obtain the required result.
Prerequisites
I would recommend that you should have basic knowledge of the following, it’s not necessary but it will help you to solve the tasks more effectively and efficiently,
- Nmap
- Directory Busting
- Burpsuit
- Linux file systems, Permissions, SETUIDs, environmental variables, etc
Objectives
- Gather Information about the target machine
- Find out hidden directories on the webserver
- Gain Shell of the webserver
- Escalate privileges
Learning Outcomes
- Getting to know Nmap flags to scan the host machine
- Use of Go-buster to find hidden directories on a web server
- Learn to bypass upload restrictions on the web-server to gain shell
- Learning Linux prvilege escalation
P.S: I recommend you, folks, to try the room on your own, and if you get stuck use this write-up as a reference. In certain tasks, you will be required to search your problems on google. I will not label sub-tasks explicitly but you will find all the answers to the sub-tasks in each of the main tasks.
Getting Started
[Task 1 ]- Deploy The Machine
First, we need to connect to the TryHackMe network using OpenVPN. The procedure is pretty straight forward you just need to download the configuration and run it using the OpenVPN command on the terminal. Once done verify that you are on the network of TryHackMe by using the ifconfig command on the terminal, you should see an interface named ‘tun0’ or ‘tun1’ and an IP assigned to it. Congratulations you have now connected to the TryHackMe network.
[Task 2 ]- Reconnaissance
First, we need to gather information regarding the target machine by scanning it using Nmap as shown below. There are certain switches while using Nmap which will fetch information accordingly such as -A switch performs an aggressive scan. You can find more information on what others switches do by consulting the manual for Nmap.
From the above scan, we get the number of open ports. In addition to this, we also find the services and versions of services running on each of the open ports. Using the -o flag Nmap gives us the operating system of the target machine as shown below. If we use -n flag it will not resolve the DNS (IP to Host-name).
[Task 3 ]- Locating directories using Gobuster
Now that we have the information about the ports and services running on them. Let’s try to explore the HTTP service running on port 3333. The following page opens when we access it by using the IP of the target machine and port 3333. Exploring it does not give much of information.
Now we are going to use go buster to find the hidden directories. You can learn more about gobuster here or you can just use man gobuster to understand the switches it uses. Follow the syntax below that finds the hidden directories and uses the common word-lists as shown below.
The output result shows the available hidden directories out of which most of the directories are normal and found on most webpages. /internal looks interesting so when accessed it showed a page that had an upload option. So are you thinking what I am thinking? If you guessed it right things are going to get pretty interesting from here.
[Task4 ] Compromise the Web Server
I am going to try uploading files of different extension types to see whether it gets uploaded or not. I tried uploading the .png and .jpeg but it failed.
I used wapalyzer and found out that the website is built on PHP so it’s quite understandable that .php is not allowed because if the same extension is allowed that of the site an adversary may make the file executable and gain shell access to the webserver.
Now to know which extension is allowed on the web server so that we may get a shell, fire up Burp Suite. Remember to configure the proxy on the web browser so that the traffic may get intercepted by Burp Suite via this proxy.
Set the attack target as shown below:
Now upload any extension file on the upload page of the webserver so that the request gets captured in HTTP history as shown below. Don’t forget to turn on the interceptor.
Send this request to the intruder and mark the field of extension. We are going to fuzz that field to find out which extension gets bypassed easily.
In the payload option, we are going to upload the extensions that would be fuzzed. Don’t forget to uncheck the encode option as keeping it enabled will not give you the correct results.
Now navigate to the options add the grep match i.e. the output message that displays when a wrong extension file get uploaded.
Now click attack and this will begin the fuzzing process. As seen below we see that the .phtml extension is allowed on the webserver. We can confirm this in two ways, one is the length and the other is the response of the webpage against this extension in the raw tab.
Now that we know that .phtml extension is allowed. Its time to upload the PHP shell. The PHP shell to be uploaded can be found here. Edit the script by adding the local IP address of your machine that can be found by typing the ipconfig command in the terminal. The IP against tun0 or tun1 has to be copied and added into the script. Before uploading the script let us use Net-cat to listen to incoming connections on port 1234 as shown below.
Upload the PHP script on the internal webpage of the server, we will see that the script has been uploaded successfully.
Navigate to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml.As soon as we navigate to this URL we will get a reverse shell as shown below.
Now we need to find the user that manages the server. Navigating to the etc/passwd file we get to know that there is only one user that has bash access so based on this assumption we come to know about the as shown below.
Navigating to the user directory we get the user flag.
[Task 5] Privilege Escalation
Now that we have the shell access, we need to escalate our privileges to root. This section is quite tricky and expects that you know about the setuid function and Linux permission stuff. A little theory is already explained regarding this function. If we see the current permission on our user we don’t have root privileges.
Let list out all suid files by using the following command.
find / -user root -perm -4000 -exec ls -ldb {} \;
systemctl stands out of all other files which have setuid enabled because it’s not normal to have setuid enabled on systemctl. I got curious and ran the same command on different hosts and found that none of them had the systemctl with setuid enabled so based on this /bin/systemctl stands out. gtfobin is a great place where gtfobin is a great place where you can find Unix binaries that help in privilege escalation bypassing the local security policies.
Now we need to set up an environmental variable. I have changed the above script a bit like I would prefer to get the bash of the privileged user so I have edited it as seen below. To get all the things right, you might want to get an overview of the Linux file system and setuid.
After this step enable the environmental variable created and run it. As soon as we execute this we get the root privilege and our root flag too as seen below. The euid and egid are root now.
With the last task performed successfully we conclude this walk-through. I know the last part has been overwhelming but don’t worry I would be writing on Linux privilege escalation soon that would clear all your doubts. Now we know how we can bypass upload restrictions on the webserver and exploit it to get a shell of the webserver.
I hope you enjoyed the walk-through.Happy hacking ;)
About Me
I am a Network Security Engineer pursuing my Master’s in Information Security and trying to get into a full-time cybersecurity career. You can follow for more write-ups and walkthroughs here