Follow along with this writeup, and deploy your own instance of Vulnversity! https://tryhackme.com/room/vulnversity

Gain access on the "System Level" by exploiting "Web Applications Vulnerabilities". Let's dive into exploiting this machine and learn together on the go!

Connect via OpenVPN

First we need to connect via our VPN and need to deploy the machine.

In order to connect via VPN. Download the access file from your profile and connect to it like.

openvpn <yourFile>.ovpn

Once connected to VPN, deploy the machine!

Enumerating and Initial Access

The first thing that we are required to do is to look for open ports. This can be achieved with a number of tools but nothing can be more better than an "NMAP Scan". I personally scan the IP addresses in the following way.

nmap -sC -sV -T4 -A <IpAddress> -oA nmap.nmap

We can see that an "Apache Server" is running on port 3333. On opening the IP in browser we are presented with the web application.

Now, we need to find the directories and any possible functionalities like "Upload" where we can upload the reverse shells etc. There are different tools for this job as well. You can use "dirb, dirbuster, wfuzz, gobuster" it all depends on your choice. I will be using "dirb". The syntax is as follows!

dirb http://<IpAddress>:<Port> <Path To Wordlists>

We find some directories. Opening the "/internal/" directory, provides us with the some upload functionality!

The first thing that is required to be checked with upload options is the "extension type". Most of the times it is possible to bypass the check.

Webshells are pre-present in the Kali Linux and we will be using PHP shell. Just copy the shell into any of your working directory!

The second thing is we need to edit the <IP> and <Port> for our reverse connection. All you need is to do "ifconfig" and select the IP Address provided with the interface "tun0". Secondly open up the reverse shell and edit both of the details.

Once done, it's time to start listening for the reverse connection using "NetCat". Listen to all incoming connections with the command shown below!

Now all we need is to upload the PHP reverse shell now. I renamed the file to "reverse.php" and make multiple copied of this file with multiple extensions (manually fuzzing which extension works). You can also use BurpSuite here!

Now we have multiple files. Its time to check which extension is not being sanitized properly. At first let's try uploading the traditional ".php" file.

It seems like it is not allowed. Similarly by testing the other extensions ".phtml" extensions was allowed.

We look where have been our "Reverse Shell" has been uploaded. Navigating to "/uploads/"reveals our uploaded shell!

Opening our file in the browser, executes it on the machine. This makes the machine connect to our computer using the PHP shell:

Now we need to find some details. Like who actually we are at the moment on the system and the users privileges.

We have got our user flag! Now we need to look for the SUID Binaries.

SUID is a file permission which is added to/given to few of the binaries which are allowed to be run by the user, but they run under the name of their owner i.e. test.bin when having SUID permissions set on root when ran on under the "billy" account will be run under root.

We can now see a number of binaries with the SUID flag set.

Privilege Escalation

Our SUID scan found a file, "systemctl".

systemctl is a binary that controls interfaces for init systems and service managers. Remember making your services run using the systemctl command during the boot time. All those tasks are handled as units and are defined in unit folders. By default systemctl will search these files in /etc/system/systemd.

For this machine we do not have access to the paths owned by root and by so we can't made the unit file. Although we can set environment variables. So let's do the PrivEsc.

Meanwhile the best reference is here!

The first thing we need to is create an environment variable!

Now we need to create a unit file and assign this to the environment variable.

What we have done here is to simply create a service which will be executing "BASH", then reading the flag from the root directory and then writing it in the flag (file) in /opt directory.

Now we need to run this unit file using systemctl.

Now we can find the "flag" file in the /opt directory containing the flag!

And boom, we executed commands as root!