VulnNet TryHackMe walkthrough

As always we’ll start off with a nmap scan of the box to show which ports are open. Looking at the nmap results below we have two ports that are open. SSH and HTTP

SSH has really few vulnerabilities and we require valid credentials to log in so i kept it in my back pocket and started by enumerating HTTP since as we know it has a bigger attack surface and we generally like attacking web servers

In TryHackMe we had been asked to add vulnnet.htb to the hosts file

So i started by adding the hostname to my hosts file

And navigated to the webpage using the hostname

Looking at the creenshot below we get a standard webpage

I tried to see if the IP Address resolved to the same website and looking at the screenshot below it did not!!

But we were given a hostname for a reason. So i decided to run a subdomain brute force attack using ffuf(A web fuzzer) and also gobuster in the background while i enumerated the website manually

FFUF Fuzzing
Gobuster directory bruteforcing

While the were running in the background i decided to enumerate the website manually.

Looking through the website there was a way of getting we could subscribe for a newsletter

I tried subscribing for a news letter and intercepted the request with burpsuite

Looking at the request using burpsuite we see that it seems to be using a parameter but we are not sure what the name of the parameter is or what function the parameter performs. Again this is where fuzzing comes in handy. As a penetration tester we can make generalized assumptions what this parameters do like:

  1. Include files (Which might lead to Local File inclusion id user input is not properly validated and sanitized)
  2. Run some SQL queries (which again might lead to a SQL Injection vulnerability)
  3. Run system commands (which might lead to command injection vulnerability)
  4. Some how be connected to a flask templates and( could lead to a Server Side Template Injection STTI injection attack)

So i first tried a command injection using burp-parameter-names.txt wordlist from Seclists

But it came back empty. Next i tried file inclusion using the same wordlist and only changed the parameter value to be /etc/passwd file

And looking at the results we get that the parameter referer returned a different size in the response

Sweet i decided to try the parameter using burpsuite And looking at the screenshot below we get the passwd file

Sweet!!!. Now we know the users that have accounts on the box and we can try a SSH brute force attack. But Before going that far we have a local file inclusion vulnerability and this means on of two things:

  1. We need to abuse that local file inclusion vulnerability to get remote code execution on the web application OR
  2. Read some sensitive files that may help us to get a foothold on the box. Like some private SSH keys or some credentials file

I tried chaining the local file inclusion vulnerability to gain remote code execution on the box but it didn’t work and there was no sensitive file i had access to on the server

I decided to go back to enumeration. A while back we had run a subdomain brute force using ffuz and i went back to check the results

Looking at the results returned by ffuf we get some hostname but some looks like false positive but broadcast was different . I added the hostname to my hosts file

And tried to navigate to it using Mozilla and looking at the screenshot below it seems to require some credential

I tried common credentials like

admin:admin,admin:password,admin:12345,admin:abc123

But it didn’t work. So i intercepted the request with burpsuite and automated a brute force attack using intruder since am using a burpsuite professional version which is really first

Looking at the request above you’ll notice that the website is using basic authentication meaning the credentials (username and password) are concatenated using a colon and the string is then base64 encoded

Burp intruder supports this kind of authentication brute force in the payload processing section in intruder tab so i decided to leave one brute force running in the background while i continue enumerating the web application manually

Then started the brute force.

While it was running in the background i decided to try one last thing

In the Apache’s config directory there a configuration file called 000-default.conf which contains configuration information on every website enabled on the server i decided to take a look at the file

Looking at the above screenshot we see that the credential for the broadcast.vulnnet.thm is stored in

/etc/apache2/.htpasswd

Let’s see if we can read the file

Looking at the screenshot above it seems we can read the file and we have an Apache MD5 hash

I copied the hashed credentials to my box and tried cracking it with john the ripper using the rockyou wordlist and looking at the screenshot below we have a valid password.

Using the username we had found in the credential file and the password we cracked from the hashed string i tried logging into the broadcast.vulnnet.thm website and it worked

And the site seems to be running a CMS called ClipBucket which is an application for video sharing

Looking at the screenshot above it seems to be running ClipBucket version 4

Doing a searchslpoit we see that version 4 of ClipBucket has several vulnerability which include a SQL Injection, Command Injection and File upload vulnerability.

Doing some further research online i found that there’s a metasploit module for the file upload vulnerability. And so i decided to load metasploit and tried searching for the exploit which i found already added to metasploit

After adding all the required options then ran the exploit i got a shell on the box

Since i normally don’t really like using meterpreter shell i decided to get a shell through netcat

Finally we have a shell on the box doing some common enumeration we find that /var/backups has a SSH backup file that we have read access to

i copied the file to my box and did a md5sum check to ensure that the integrity of the file wasn’t compromised during the download process

Next i extracted the contents of the gunzip file

We get a SSH private key. which appears to be encrypted looking at

Meaning we need to have a passphrase which can allow us to log in using the key. To crack the passphrase using john the ripper we first need to convert the file into a format that john the ripper can understand and crack using a tool called ssh2john

I Saved the hash to a text file and tried cracking using john the ripper

After some few seconds we get the passphrase from john

Looking at the passwd file we have two possible users who the key can belong too

1. root
2. server-management

First i tried logging into the box as the user server-management and looking at the screenshot below it worked

We have a shell as server-management and looking at his home directory we have the user flag which we can read

We can submit the flag to TryHackMe and get the points

Next i uploaded linpeas to the box. Linpeas is a privilege escalation checklist script that automatically checks for privilege escalation vectors which makes our work much easier

After linpeas ran we find a there’s a cron job running every two minutes that executes a script called backupsrv.sh

But we don’t have permission to edit the file since it belongs to root but we have read access

Looking at the source code of the script

To exploit the vulnerability we first need to create a script that will get executed when the cron job run. I created a script called shell.sh that will cause bash binary to have a SUID bit which in turn can be executed using -p flag to drop us to a root shell.

Next create the two files

When the tar will be running it will be considering the two files as arguments passed to tar rather than actual files to be compressed

After creating the payload i waited for two minutes and looking at bash again we see it had a SUID bit set

Sweet!! Just by running

bash -p

We get a root shell on the box

Going to the root’s folder we have the root flag

You can submit the flag and get the points on TryHackMe. And the box is done. AM sure you learnt something new if you liked the walkthrough clap for me down below and follow me so that you don’t miss any upcoming articles

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store