TryHackMe - Vulnversity (Easy)

Summary

Gobuster finds a hidden directory /internal which has an upload form. The upload form filters .php extension, but Burp Intruder finds that phtml bypasses the filter. Here we rename php-reverse-shell.php to php-reverse-shell.phtml and get a www-data shell.

On the victim machine, /bin/systemctl is SUID. Using an arbitrary file read payload on GTFOBins, we are able to read root.txt without getting a root shell.

IP

  • RHOST: 10.10.64.243

  • LHOST: 10.13.12.2

Nmap

Nmap

Asset Discovery

Run Gobuster against port 3333:

Gobuster finds /internal:

Gobuster

www-data shell: File Upload with PHP Extension Bypass

There is an upload form in /internal:

/internal

Try uploading php-reverse-shell.php here. However, this file is not present in the /internal/uploads directory:

Upload failed

Perhaps the .php file extension is blocked. Brute-force valid file extensions using Burpsuite Intruder. Remember turn off "URL-encode these characters":

Uncheck "URL-encode these characters"

Make a PHP extension wordlist:

Intruder finds that the only valid extension is .phtml:

.phtml is a valid extension

Rename the PHP reverse shell payload to php-reverse-shell.phtml and upload again. This time the file is successfully uploaded:

Upload succeeds

Start a pwncat listener:

Trigger the reverse shell payload and get a user shell as www-data:

www-data shell

Arbitrary File Read: SUID /bin/systemctl

Search for SUID file:

Note that /bin/systemctl is SUID:

/bin/systemctl

GTFOBins has a privesc payload for systemctl. Change the payload to cat /root/root.txt > /tmp/output:

Execute these commands line by line on the victim machine and read the content of root.txt:

root.txt
PreviousTryHackMe - Simple CTF (Easy)NextTryHackMe - CMesS (Medium)

Last updated