Vulnversity - TryHackMe - Devblog de Xenos

Lessons Learnt summary

Lab	vulnversity
URL	https://tryhackme.com/fr/vulnversity
Main goal	Ensure we can work on labs (VPN connection) and setup simple reverse shell along with pwncat-cs shells
Pitfalls to avoid	Installing pwncat was difficult, as "pip install" command failed; hence why relying on "python3 -m pip" instead Always create a dedicated folder for the lab Always remember to take screenshots along the lab/CTF/pentest/bounty hunt so you don't need to go over all the process again for the report

The lab details

I'll make a very succinct "lessons learned" (not really a detailed writeup) on this lab, showing each main step while trying not to be uselessly verbose, focusing only on important options or tricks that I missed (and so may you).
I took the opportunity to try pwncat-cs for this TryHackMe lab

Setup

Open the VPN connexion to the lab with `sudo openvpn config.ovpn`

Find your IP in this VPN at *http://10.10.10.10/*

It is always good to create a dedicated folder for a lab, a CTF or a pentest.

For this one, I've put all the notes, screenshots, payloads, etc. into ~/pentest/target/tryhackme/vulnversity/

Always make screenshots at every stage of your attack, from the very start.

This will make it way easier for you to write down your report, being a lab, a CTF or an actual pro pentest. You may move the screenshots to the dedicated folder you've created once your mission is accomplished (flag taken or pentest done).

Reconnaissance

Always run a `nmap -sC -sV` don't forget ports above 1000 (no `-F`) and **always** `tee` to a dedicated file

Give a look at the web servers you find (not always required, but nice to do)

Here, it wasn't used, but /robots.txt must never be forgotten.

`Feroxbuster` is a very good tool for force bruting directories
Always use `-o` to set an output for your scan

With recursion, you'll find the `/internal/` endpoint and its `/internal/uploads/` associed directory with uploaded files

In case you end up with lots of errors (network is overloaded):
`--rate-limit` to fix the max number of request per dirscan
`-L` to fix the max number of concurrent dirscans
`-n` to avoid recursion scan

The potential attack vector

You may rely on `burpsuite` to test the uploadable file extensions

Set your BURP IP (found in the of burpsuite) in the options menu of Foxyproxy (great plugin for Firefox proxy management) and switch to it on demand for capturing Firefox requests

Disable interceptor (never very useful unless on-the-fly queries must be altered or stopped), `Ctrl+I` to send the proxy-captured request to intruder, then set the placeholders (try not to forget any) and run

Don't forget even weird PHP extensions like php3;php4;php5;phtml

Results may be obvious (length-based) or much more hidden (content)

Exploit with a reverse Shell

Find appropriate reverse-shell payload (password to avoid AV FP: reinom), open a local listener `nc -vlnp 31415`, don't forget to set you IP and port in there, and upload the PHP reverse shell file using proper extension (`.phtml`)

Visit the PHP page and get your reverse shell opened
It sometimes happens that the PHP page will be visited by someone else, like an admin, a reviewer (moderator), or even an automated tool depending on where the uploaded file will be stored

Then search for the flag, usually in a `user.txt` file or `flag.txt` file
`find / -type f -name "*flag*"` or `"*user*"` may help

Privesc

It's time to turn from www-data user to root user

Note that the root user may be named admin or sysadmin or whatever

If you don't know how to privesc, then ~~google~~ duckduckgo for it: chances are someone already exploited something you may relate with

Create a reverse shell service payload and open up your local listener on another port

The services are arbitrary commands.
If you have the rights (through the lab/CTF's interface) to start arbitrary defined services, then you have a RCE (Remote Code Execution) and probably a remote shell

Upload the service definition, either throught the reverse shell or using the application's upload form

Register (`enable`) and run (`start`) the service using your reverse shell

It seems the service file must be named .service, hence the mv command

The service started, your listener is a root reverse shell on the machine

Gather the flag the same way as before (`/root` directory or `find / -name "root.txt"`)

Using `pwncat-cs`

The nc utility is a very rough reverse shell (no tab completion, no up/left arrows,...) so you may rely on pwncat-cs instead, which will have nice completion and history features

Run `python3 -m pwncat`, after having installed it first (`python3 -m pip install pwncat-cs`)

Listeners can be created with `listen -m linux 31415` (or `-m windows` for windows targets)

When visiting the backdoor PHP page, pwncat shows up that the connection gets active
You may list `sessions` or switch `session 0`
Hit `Ctrl+D` to switch between local and remote command line (of current session)

The user flag can be gathered the same way (we already know the path)

You can privesc the same way as before by returning to local shell (`Ctrl+D`), start a new `listen -m linux 31416`, go back to remote shell (`Ctrl+D`) and `systemctl start privesc.service`. Then, gather the `/root/root.txt` flag

You may use pwncat's `upload [local] [remote]` command to send a local file to the remote target if you cannot rely on the application's "upload" functionnality

When uploading a file using a reverse shell, ensure you are allowed to write to the destination directory (here, www-data cannot write to bill's home directory

⇇ TryHackMe lessons learned