TryHackMe - Vulnnet
Last updated
Last updated
TL;DR - Refer #kill-chain
NMAP Scan
JavaScript File analysis - Running GoBuster and Nikto won't give us much information so we decide to analyze JavaScript files
Looking at http://vulnnet.thm/js/index__7ed54732.js, we get the subdomain "broadcast.vulnnet.thm" which we add to /etc/hosts file in KALI.
Looking at other JavaScript, we see link containing PHP parameter "referer" in index.php page - http://vulnnet.thm/js/index__d8338055.js
Please note - this can be automated using https://github.com/GerbenJavado/LinkFinder
Visiting home page, we see that it needs Basic Authentication to proceed.
All we left is to check PHP parameter and see if there are any vulnerabilities. Normally, PHP parameters can be vulnerable to Local File inclusion (LFI), Remote File Inclusion (RFI), SQL Injection etc. and we decide first to FUZZ test it with LFI.
Using PHP Data Wrappers, we confirm that the index.php is vulnerable to LFI using referer parameter
Payload - referer=php://filter/resource=/etc/passwd
Since we are looking for Basic Auth creds to login in http://broadcast.vulnnet.thm, we can leverage LFI for this and find password. Good place to look is .htpasswd file in /etc/apache2 folder.
Looking at this, we find credential hash -
Using JohnTheRipper, we can crack the hash using already rocking dictionary.
ClipBucket App - Login to broadcast.vulnnet.thm
Login to broadcast.vulnnet.thm, we get in and see ClipBucket app -
We also see that ClipBucket is at version 4 and looking in Searchsploit, we see potential exploits to gain foothold -
We will leverage File Upload vulnerability and try to inject PHP reverse shell -
Weaponized payload -
Reference - https://www.exploit-db.com/exploits/44250
Edit reverse shell script - add your VPN IP and listening netcat port
Starting reverse shell on KALI -
Locating shell code -
http://broadcast.vulnnet.thm/actions/CB_BEATS_UPLOAD_DIR/
Click on our shellcode script and we see reverse shell on Kali -
We see /var/backup/ directory contains backup of valid user "system-management" SSH Key.
Extracting key -
We see the key is encrypted and needs passphrase so we will crack the key using JohnTheRipper
In order to crack, we will need to convert key to "JohnTheRipper" format using ssh2john utility which can be found on Github -
We get the password and now we will convert RSA key to PEM format using OpenSSL -
SSH as "system-management" user with the new key -
We get in and see user.txtin home folder as our first flag.
Cron Job -
We see the backup files were executed as Cron job running as user root.
Looking at the backup script, we see it is backing up all files (wildcard) from /home/server-management/Documents directory using tar utility.
We will leverage this functionality to our advantage -
Using GTFO Bins, we see that tarcan run script when we specify --checkpoint flag. Creating such files in Linux can help us gain the root.
https://gtfobins.github.io/gtfobins/tar/#shell
Creating reverse shell script -
Creating dummy files that can act as command line arguments to tar -
Since the --checkpoint is not a valid Linux file, tar will treat those files as part of command arguments and execute reverse shell.
Effective commands will be -
Starting netcat lister on kali - rlwrap nc -nvlp 5555
Getting reverse shell -
