Vulnversity - TryHackMe

Lessons Learnt summary

Lab vulnversity
Main goal Ensure we can work on labs (VPN connection) and setup simple reverse shell along with pwncat-cs shells
Pitfalls to avoid
  • Installing pwncat was difficult, as "pip install" command failed; hence why relying on "python3 -m pip" instead
  • Always create a dedicated folder for the lab
  • Always remember to take screenshots along the lab/CTF/pentest/bounty hunt so you don't need to go over all the process again for the report
CTF files 💾 The files of this lab's writeup are available here

The lab details

I'll make a very succinct "lessons learned" (not really a detailed writeup) on this lab, showing each main step while trying not to be uselessly verbose, focusing only on important options or tricks that I missed (and so may you).
I took the opportunity to try pwncat-cs for this TryHackMe lab

Setup

Open the VPN connexion to the lab with sudo openvpn config.ovpn
Find your IP in this VPN at http://10.10.10.10/

It is always good to create a dedicated folder for a lab, a CTF or a pentest.
For this one, I've put all the notes, screenshots, payloads, etc. into~/pentest/target/tryhackme/vulnversity/

Always make screenshots at every stage of your attack, from the very start.
This will make it way easier for you to write down your report, being a lab, a CTF or an actual pro pentest. You may move the screenshots to the dedicated folder you've created once your mission is accomplished (flag taken or pentest done).

Reconnaissance

Always run a nmap -sC -sV; don't forget ports above 1000 (no -F) and always tee the results to a dedicated file
Give a look at the web servers you find (not always required, but nice to do)

Here, it wasn't used, but /robots.txt must never be forgotten.

Feroxbuster is a very good tool for force bruting directories Always use -o to set an output for your scan
With recursion, you'll find the /internal/ endpoint and its /internal/uploads/ associed directory with uploaded files
In case you end up with lots of errors (network is overloaded):
--rate-limit to fix the max number of request per dirscan
-L to fix the max number of concurrent dirscans
-n to avoid recursion scan

The potential attack vector

You may rely on burpsuite to test the uploadable file extensions
Set your BURP IP (found in the of burpsuite) in the options menu of Foxyproxy (great plugin for Firefox proxy management) and switch to it on demand for capturing Firefox requests
Disable interceptor (never very useful unless on-the-fly queries must be altered or stopped), Ctrl+I to send the proxy-captured request to intruder, then set the placeholders (try not to forget any) and run

Don't forget even weird PHP extensions like php3, php4, php5, or phtml.

Results may be obvious (length-based) or much more hidden (content)

Exploit with a reverse Shell

Find appropriate reverse-shell payload (see zip in this zip; password to avoid AV FP: reinom) , open a local listener nc -vlnp 31415 , don't forget to set you IP and port in there, and upload the PHP reverse shell file using proper extension (.phtml)
Visit the PHP page and get your reverse shell opened
It sometimes happens that the PHP page will be visited by someone else, like an admin, a reviewer (moderator), or even an automated tool depending on where the uploaded file will be stored
Then search for the flag, usually in a user.txt file or flag.txt file
find / -type f -name "flag" or "user" may help

Privesc

It's time to turn from www-data user to root user

Note that the root user may be named admin or sysadmin or whatever

If you don't know how to privesc, then google duckduckgo for it: chances are someone already exploited something you may relate with
Create a reverse shell service payload (see zip content) and open up your local listener on another port

The services are arbitrary commands.
If you have the rights (through the lab/CTF's interface) to start arbitrary defined services, then you have a RCE (Remote Code Execution) and probably a remote shell

Upload the service definition, either throught the reverse shell or using the application's upload form
Register (enable) and run (start) the service using your reverse shell

It seems the service file must be named .service, hence the mv command

The service started, your listener is a root reverse shell on the machine
Gather the flag the same way as before (/root directory or find / -name "root.txt"

Using `pwncat-cs`

The nc utility is a very rough reverse shell (no tab completion, no up/left arrows,...) so you may rely on pwncat-cs instead, which will have nice completion and history features

Run python3 -m pwncat after having installed it first (python3 -m pip install pwncat-cs
Listeners can be created with listen -m linux 31415 (or -m windows for windows targets)
When visiting the backdoor PHP page, pwncat shows up that the connection gets active
You may list sessions or switch session 0
Hit Ctrl+D to switch between local and remote command line (of current session)
The user flag can be gathered the same way (we already know the path)
You can privesc the same way as before by returning to local shell (Ctrl+D), start a new listen -m linux 31416, go back to remote shell (Ctrl+D) and systemctl start privesc.service. Then, gather the /root/root.txt flag
You may use pwncat's upload [local] [remote] command to send a local file to the remote target if you cannot rely on the application's "upload" functionnality

When uploading a file using a reverse shell, ensure you are allowed to write to the destination directory (here, www-data cannot write to bill's home directory