Linux Privilege Escalation
Try Hack Me
Lab: Vulnversity
Write up by: Nihilnomine
This is my first write-up as I am still a student working towards my first certification. I recommend you work through this box yourself and only refer to the write-up if you are stuck. I have designed this write-up to leave out some information in order to help you learn the processes yourself, and not have a step-by-step answer book to copy and paste critical info into the lab. You will learn better if you google and take your time. Remember this is practice. If you need more time, add time to the lab. It is better to take the time you need to get an understanding of what, and why, you are doing something.
To start off we need to connect to the THM VPN or deploy a browser-based Attack Box. I chose to deploy the VPN from my own instance of Kali. In this case, I made the decision to switch to the root user for the process.
After deploying the box we start with our nmap scan. For this, I decided to set the speed to -T4 because this is a CTF-like machine. Now if this were a real-world penetration test the speed is sometimes determined by the client prior to the engagement. It is good to note that for internal pen tests you want to be loud. If the client does not pick up a loud scan it is likely that they have some miss-configurations in their network.
The output of the scan is shown bellow.
nmap scan -T4 -A -10.10.215.252 -vvv on March 29th @ 14:47
__________________________________________
Open ports — — service — — version
21ftp Vsftpd 3.0.322 ssh Openssh 7.2p2 Ubuntu
139 net bios-sn Smdb3.x-4.x Workgroup=same
445 net bios-sn Smdb 4.3.11 Ubuntu*
3128 HTTP-proxySquid- HTTP proxy
3333 HTTPApache Workgroup=Workgroup
Our scan shows results come back with Ubuntu and Apache. So it is likely this machine is running Linux. However, upon NMAP attempting to find the OS, it is unable to determine the OS.
The next step is to do our recon. To speed up the process, I ran Autoenum by Gr1mmie.
While that was running I fired up gobuster and enumerated the directory on the HTTP port.
Since these processes will take some time to finish, we can go out and check out the website for any possible attack vector or potential username enumeration.
None of the buttons I clicked worked. The next step is to view the source code. After viewing it, I determined there was nothing that helpful other than determining the site was written in PHP.
Take Away: By looking at the source code I know the site is written in PHP (this information can also be found by using browser-based extensions). That tells me I should be able to find some way to connect to the server using a PHP reverse shell.
Both gobuster and autoenum finished (I should note that autoenum includes directory busting).
After enumerating the directory on the website, I came to one that had an upload function.
I tried a few file types but none were not allowed.
Take Away: The site is filtering attempts to upload certain files. So what we need to do is go and look for a method to bypass these upload restrictions.
Next, we need to find a way to bypass these upload restrictions. I fired up Burp to intercept our upload request and once again attempted to upload my file.
After we intercept the request we send it to Intruder and add our position. We now need to make a custom payload list which can be done in nano or any text editor. Next, we load our custom payload list into burp and fire away.
After we run it, we can see we have some success with a 200 status but our length does not match that of the our intercept.
After some time, we finally get a match with one of our payloads. This tells us if we change the file extension type to one that works the next time we upload it will be successful.
.
Next, I downloaded the reverse PHP shell from Pentestmonkey. After editing the script I spun up a listener on port 7777 using netcat.
As you can see below, I was able to upload the reverse shell. I then triggered the shell to pop by navigating to the web address that held the upload.