Introduction
Vulnversity is the first machine that we encounter on the Offensive Pentesting Path on TryHackMe
Target IP : 10.10.160.104, I usually export this as $target.
Scanning and Enumeration
- The first scan is Nmap scan:
nmap -sV -Pn $target
-sV: Probe open ports to determine service/version info
-Pn: Treat all hosts as online — skip host discovery
We observe that we do not have a specific version for the Samba services yet, hence we can use enum4linux $target to enumerate the box before going ahead.
Important data that we get from this test:
1. domain/workgroup name: WORKGROUP
2. [+] Server 10.10.160.104 allows sessions using username ‘’, password ‘’ (Anonymous login is allowed)
I was not able to get the samba version precisely, all I managed to get was ‘3.x-4.x’, so I had to use Metasploit.
Update : Running the command ‘nmap’ as root gave me the required version enumeration as well, and we could have skipped metasploit.
Results
We find the following services along with the following versions:
- FTP
Port → 21
Version →vsftpd 3.0.3 - SSH
Port →22
Version →7.2p2 - Samba
Port → 139,445
Version → 4.3.11 ( Ubuntu ) - Squid Proxy
Port → 3128
Version →3.5.12 - Http
Port →3333
Version → Apache httpd 2.4.18
Comments →Unusual Port, OS is Ubuntu
Vulnerability Analysis
- FTP: No public exploits found
- SSH: We only have username enumeration vulnerability here, we can come back to this, in case we need to get some usernames
Anyways, SSH vulnerabilities are rare and ssh is generallly enabled to login via credentials gathered from other services
- Samba: Only DoS found, which is not relevant to the cause, had this been a Pentest, this was definitely useful.
- Squid Proxy : All public exploits once again point to DoS attacks.
- Http: We need to enumerate the Web App to get our local initial foothold.
Web App Analysis
Let us first visit the website and explore it. Or as TryHackMe says, take the Happy Path :P
Observations :
- All the links on the page were linked to ‘/#’
- The blogs were redirected to ‘/blog-single.html’ which was not found on the server
- Even though the links were invalid, we get ‘Admin’ as a user.
The next logical step is to go for tools like Nikto and Gobuster, I usually start them in parallel.
Nikto did not reveal much but, gobuster reveals the following paths, out of which ‘internal’ looks juicier than the rest.
We find that ‘/internal/’ has an upload option available. Maybe this is the attack vector that we were looking for. Let us try and use this to get our initial foothold on the machine.
Initial Foothold
First, we try to upload a normal ‘txt’ file, once uploaded no path was exposed. This means we fire up burp to see the requests and responses.
We see that we get a positive hit for ‘.phtml’. We can now send a PHP Reverse Shell (link)
We would need to change the IP and the Port for this to work, and also set up a listener.
But, we forgot the main thing! We still do not know where is the uploaded file stored, let us run gobuster on HTTP://$target:3333/internal/ and see if we can find something.
We immediately find the uploads directory and find the uploaded file
But, before we open it, we need to start the listener : nc -nlvp 1234
We get our initial foothold. As soon as I receive a shell, I convert it to pty using python -c "import pty;pty.spawn('/bin/bash')"
Post Exploitation
Looking at ‘/etc/passwd’ gives us another user on the system called bill.
We get the user flag. We still need to enumerate more in order to get root.
We list all the files that have their set-uid set using find / -perm /4000 2>/dev/null
Interesting binaries having suid set :
1. systemctl
We go to GTFO Bins and see the following snippet
Link : https://gtfobins.github.io/gtfobins/systemctl/#suid
We need to change the command that it is executing, as the new file can only be read and not executed, so let’s ‘cat /root/root.txt’
And we finally get the root flag. That ends the challenge here.
Thank you TryHackMe for the wonderful room :)