THM Vulnversity - grunt92/IT-Sec-WriteUps GitHub Wiki

Deploy the machine

Deploy the machine

No answer needed

Reconnaissance

There are many nmap "cheatsheets" online that you can use too.

No answer needed

Scan the box, how many ports are open

Run nmap -A -p- IP to get the answer

6

What version of the squid proxy is running on the machine?

3.5.12

How many ports will nmap scan if the flag -p-400 was used?

400

Using the nmap flag -n what will it not resolve?

dns

What is the most likely operating system this machine is running?

ubuntu

What port is the web server running on?

3333

Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don't forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)

No answer needed

Locating directories using GoBuster

Now lets run GoBuster with a wordlist: gobuster dir -u http://:3333 -w

No answer needed

What is the directory that has an upload form page?

/internal/

Compromise the webserver

Try upload a few file types to the server, what common extension seems to be blocked?

.php

To do this, we're going to use BurpSuite. If you are unsure to what BurpSuite is, or how to set it up please complete our BurpSuite room first.

No answer needed

Run this attack, what extension is allowed?

.phtml

To gain remote access to this machine, follow these steps:

No answer needed

What is the name of the user who manages the webserver?

Run ls home to get a list of all users

bill

What is the user flag?

Run cat /home/bill/user.txt to get the flag. 8bd7992fbe8a6ad22a63361004cfcedb

Privilege Escalation

On the system, search for all SUID files. What file stands out?

Run find / -user root -perm -4000 -exec ls -ldb {} \;.

/bin/systemctl

Become root and get the last flag (/root/root.txt)

Use GTFOBINS to find a privilege escalation for systemctl. Note: Use "/bin/systemctl" instead of "systemctl" for the escalation to make sure that the process works as intended.