THM Vulniversity
Introduction
So according to a post I saw on Medium, this is one of a series of OSCP like rooms on THM. I’ll give it a go.
Open Ports
I’ve got ports 21 (FTP), 22 (SSH), 139 + 445 (SMB), so maybe this is a Windows box. I also have 3128 which may be for the Squid Caching Web Proxy (Wikipedia) and 3333 which is a non-standard port. I’ll have to ask nmap for more details.
Scan Detail
nmap says we’ve got vsftpd 3.0.3 on port 21, OpenSSH 7.2p2 on port 22, SMB on 139+445, plus:
So actually this is a Linux box with a webserver on port 3333.
The scan also says the version of Squid has a 10 out of 10 CVE, so I’m going to want to check that out.
Webserver
Visiting the webserver reveals a front page for a University, many of the links don’t work though. There is no robots.txt, but /images and /js both offer directory listings. Let’s fuzz:
The fuzzing turned up a page called /internal, which appears to offer some sort of file upload. The index page for this subdirectory is index.php, so the server is running PHP. Fuzzing inside the directory finds http://10.10.14.79:3333/internal/uploads/, where our files will appear. Let’s try a PHP reverse shell.
Shell
Using the .phtml extension I could upload the pentestmonkey PHP reverse shell and connect as www-data. I copied over linpeas.sh to /dev/shm and ran it.
Linpeas showed a probable privesc via SystemCTL, which can be found on GTFOBins, and sure enough this led to root.