OSCP Preparation TryHackMe 01: Vulnersity

Notification: This is not a technical step-by-step guide. 

Summary

a. Initial Access

    Web upload RCE

b. User Access

    Web upload RCE

c. Root Access

    SUID /bin/systemctl


Tips
a. Gobuster should at least run twice to enumerate the first round found folder.

b. Common Php extensions
.php
        .php1
        .php2
.php3
.php4
.php5
.phtml

c. To identify which extensions are not blocked can use:
    Fuzz to upload form
    Burp Suite set the payload to "sniper" to attack

Procedure
1. Port Scan
    $nmap -vv 10.10.132.213  ##scan top 1000 ports
    $nmap -sV 10.10.132.213 ##scan top 1000 ports with port service version
    $nmap -A -p- -T4 10.10.132.213  ##All os/service, all ports, fast module
    

2. Service Enumation
21 Port
Vsftpd 3.0.3
No anonymous login
No exploit
22 Port
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.7
139, 445 Port
3138 Port
3333 Port
    Web http server
    Gobuster found /internal/ upload location
    Gobuster found/internal/uplaod/, looks file saved location
    Not allow txt,php conmon extension
    Tested allow .phtml extension upload

3. User Access
Gobuster
$gobuster dir -u http://10.10.132.213:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
$gobuster dir -u http://10.10.132.213:3333/internal -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Bypass File Upload Restriction 
    The website does not allow PHP reverse shell to upload. tested common extension. bypassed with .phtml

Manage to get the reverse shell


4. Privilege Escalation
    Check SUID permission
        $$find / -perm -u=s -type f 2>/dev/null
       
    
   Cross compared with GtfoBins SUID list I created, match "systemctl" value


    Modify the command to get root permission reverse shell



Comments

Post a Comment

Popular posts from this blog

To Be A CyberMan: Installing PfSense on a WatchGuard Firebox

Image
OX01 Preface My company recently upgraded its firewall to FortiGate Firewall.  They eliminated 3 of the licenses expired WatchGuard Firebox Firewalls. The WatchGuard FireBox models are XTM5 Series, M400, and M470. I was wondering if I can install the opensource Firewall application such as PfSense on FireBox to use as Testing Lab Environment. 0X02 Information      XTM5 Series comes with a 1GB CF card, free space is not enough for the lastest Pfsense,  need to add additional Hard Disk as PfSense system booting drive.     M400 comes with a 4 GB CF card, can use CF card as a PfSense system booting drive.     M470 comes with mSTAT SSD.  can SSD as a PfSense system booting drive. 0X03 Installing PfSense on M400 1. Preparation:           WatchGuard Firebox M400 Appliance          A USB Flash Drive          A CF Card USB reader          A co...
Read more

How I passed the CSX Fundamentals within one month

Image
  How I passed the CSX Fundamentals within one month Hi Guys, My name is Trevor Shi. I just passed the CSX within one month. I would like to share some experience maybe it will help you guys to prepare the exam. One of the funny things was, I used one month to learn it. But I spent the other one month to book the exam. I re-booked 5 times of exam as ISACA PSI online exam application has lots of issues.  I met every situation you can imagine. The first-time ISACA website down, the second-time they canceled my booked without excuse, the third-time application couldn't open, and the Fourth time was my fault, I just missed the exam. Finally, I got this certificate. We had a small group named CyberRookie, It just like an unorganized cyber knowledge self-studying group, we are trying to be more organized. So t he purpose of this article is as a guideline of the CyberRookie Project CSX certification learning method . A. The Cybersecurity Fundamentals Certific...
Read more

To Be A CyberMan: The 0365 email/ADFS Troubleshooting - Http status 500 error

Image
 To Be A CyberMan: The O365 email/ADFS Troubleshooting - Http status 500 error    0x00: Preview Knowlege ADFS: Active Directory Federation Services (ADFS) is a Microsoft Single Sign-On (SSO) solution. It provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication (IWA) through Active Directory (AD).   Reference: https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services   0x01: Symptoms Some users reported they were not able to log into the email from Web console, the error shows: HTTP status 500:internal server error   0x02: Troubleshooting We tested some accounts email, The issue only affected some of the user's web-based Outlook applications. So we sent the email to our outlook service provider, got confirmation that the outlook service is working. From the error message, we can see the error is the internal serv...
Read more