VulnNet TryHackMe walkthrough
Hello guys am back again with another walkthrough from TryHackMe. This time we are going to be handling VulnNet. The room was released yesterday i did it and finished it but I’ve been on the road for the past three days so releasing a room was kinda hard but better late than never. The room was rated medium but still again i believe if you have a solid foundation on pentesting it’s actually an easy box. The box starts off by us discovering that the box has virtual host routing enabled meaning as a user we shall be routed to different websites depending on the hostname we provide. But one of those website(broadcast.vulnnet.thm) is protected using HTTP Authentication meaning we need right credentials to access it. The other website(vulnnet.thm) is vulnerable to a Local File Inclusion (LFI) vulnerability we leak the credentials for and login to the Site (broadcast.vulnnet.thm) . We then find that the website is running a Content Management System called ClipBucket which is vulnerable to a remote code execution through a flaw in the file upload functionality. We exploit that vulnerability using metasploit to land ourselves a shell on the box. Looking at /var/backups folder there’s a gunzip compressed file that has an ssh private key for a user on the box. We get the key crack the passphrase since it’s encrypted and get into the box as a user. User done!!!. For root we’ll exploit tar which has a wildcard injection vulnerability. It sounds a lot but It’s an easy one and i actually enjoyed the box since it simulates real world vulnerabilities and thanks to the creator of the box TheCyb3rW0lf. Without much say let’s jump in
As always we’ll start off with a nmap scan of the box to show which ports are open. Looking at the nmap results below we have two ports that are open. SSH and HTTP
SSH has really few vulnerabilities and we require valid credentials to log in so i kept it in my back pocket and started by enumerating HTTP since as we know it has a bigger attack surface and we generally like attacking web servers
In TryHackMe we had been asked to add vulnnet.htb to the hosts file
So i started by adding the hostname to my hosts file
And navigated to the webpage using the hostname
Looking at the creenshot below we get a standard webpage
I tried to see if the IP Address resolved to the same website and looking at the screenshot below it did not!!
But we were given a hostname for a reason. So i decided to run a subdomain brute force attack using ffuf(A web fuzzer) and also gobuster in the background while i enumerated the website manually
While the were running in the background i decided to enumerate the website manually.
Looking through the website there was a way of getting we could subscribe for a newsletter
I tried subscribing for a news letter and intercepted the request with burpsuite
Looking at the request using burpsuite we see that it seems to be using a parameter but we are not sure what the name of the parameter is or what function the parameter performs. Again this is where fuzzing comes in handy. As a penetration tester we can make generalized assumptions what this parameters do like:
- Include files (Which might lead to Local File inclusion id user input is not properly validated and sanitized)
- Run some SQL queries (which again might lead to a SQL Injection vulnerability)
- Run system commands (which might lead to command injection vulnerability)
- Some how be connected to a flask templates and( could lead to a Server Side Template Injection STTI injection attack)
So i first tried a command injection using burp-parameter-names.txt wordlist from Seclists
But it came back empty. Next i tried file inclusion using the same wordlist and only changed the parameter value to be /etc/passwd file
And looking at the results we get that the parameter referer returned a different size in the response
Sweet i decided to try the parameter using burpsuite And looking at the screenshot below we get the passwd file
Sweet!!!. Now we know the users that have accounts on the box and we can try a SSH brute force attack. But Before going that far we have a local file inclusion vulnerability and this means on of two things:
- We need to abuse that local file inclusion vulnerability to get remote code execution on the web application OR
- Read some sensitive files that may help us to get a foothold on the box. Like some private SSH keys or some credentials file
I tried chaining the local file inclusion vulnerability to gain remote code execution on the box but it didn’t work and there was no sensitive file i had access to on the server
I decided to go back to enumeration. A while back we had run a subdomain brute force using ffuz and i went back to check the results
Looking at the results returned by ffuf we get some hostname but some looks like false positive but broadcast was different . I added the hostname to my hosts file
And tried to navigate to it using Mozilla and looking at the screenshot below it seems to require some credential
I tried common credentials like
admin:admin,admin:password,admin:12345,admin:abc123But it didn’t work. So i intercepted the request with burpsuite and automated a brute force attack using intruder since am using a burpsuite professional version which is really first
Looking at the request above you’ll notice that the website is using basic authentication meaning the credentials (username and password) are concatenated using a colon and the string is then base64 encoded
Burp intruder supports this kind of authentication brute force in the payload processing section in intruder tab so i decided to leave one brute force running in the background while i continue enumerating the web application manually
Then started the brute force.
While it was running in the background i decided to try one last thing
In the Apache’s config directory there a configuration file called 000-default.conf which contains configuration information on every website enabled on the server i decided to take a look at the file
Looking at the above screenshot we see that the credential for the broadcast.vulnnet.thm is stored in
/etc/apache2/.htpasswdLet’s see if we can read the file
Looking at the screenshot above it seems we can read the file and we have an Apache MD5 hash
I copied the hashed credentials to my box and tried cracking it with john the ripper using the rockyou wordlist and looking at the screenshot below we have a valid password.
Using the username we had found in the credential file and the password we cracked from the hashed string i tried logging into the broadcast.vulnnet.thm website and it worked
And the site seems to be running a CMS called ClipBucket which is an application for video sharing
Looking at the screenshot above it seems to be running ClipBucket version 4
Doing a searchslpoit we see that version 4 of ClipBucket has several vulnerability which include a SQL Injection, Command Injection and File upload vulnerability.
Doing some further research online i found that there’s a metasploit module for the file upload vulnerability. And so i decided to load metasploit and tried searching for the exploit which i found already added to metasploit
After adding all the required options then ran the exploit i got a shell on the box
Since i normally don’t really like using meterpreter shell i decided to get a shell through netcat
Finally we have a shell on the box doing some common enumeration we find that /var/backups has a SSH backup file that we have read access to
i copied the file to my box and did a md5sum check to ensure that the integrity of the file wasn’t compromised during the download process
Next i extracted the contents of the gunzip file
We get a SSH private key. which appears to be encrypted looking at
Meaning we need to have a passphrase which can allow us to log in using the key. To crack the passphrase using john the ripper we first need to convert the file into a format that john the ripper can understand and crack using a tool called ssh2john
I Saved the hash to a text file and tried cracking using john the ripper
After some few seconds we get the passphrase from john
Looking at the passwd file we have two possible users who the key can belong too
1. root
2. server-management
First i tried logging into the box as the user server-management and looking at the screenshot below it worked
We have a shell as server-management and looking at his home directory we have the user flag which we can read
We can submit the flag to TryHackMe and get the points
Next i uploaded linpeas to the box. Linpeas is a privilege escalation checklist script that automatically checks for privilege escalation vectors which makes our work much easier
After linpeas ran we find a there’s a cron job running every two minutes that executes a script called backupsrv.sh
But we don’t have permission to edit the file since it belongs to root but we have read access
Looking at the source code of the script
To exploit the vulnerability we first need to create a script that will get executed when the cron job run. I created a script called shell.sh that will cause bash binary to have a SUID bit which in turn can be executed using -p flag to drop us to a root shell.
Next create the two files
When the tar will be running it will be considering the two files as arguments passed to tar rather than actual files to be compressed
After creating the payload i waited for two minutes and looking at bash again we see it had a SUID bit set
Sweet!! Just by running
bash -pWe get a root shell on the box
Going to the root’s folder we have the root flag
You can submit the flag and get the points on TryHackMe. And the box is done. AM sure you learnt something new if you liked the walkthrough clap for me down below and follow me so that you don’t miss any upcoming articles