Vulnhub & THM notes
Introduction
I’ve recently completed NULLY CYBERSECURITY: 1 and ONSYSTEM: SHELLDREDD #1 HANNAH from Vulnhub and Poster from TryHackMe. These are some brief thoughts about each one.
Nully
This was great; I really enjoyed it. I will probably write it up separately. But essentially it’s three separate servers/services (Mail, Web and DB) and you pivot to the Web and DB after you’ve pwned the Mail server - I did that with SSH port forwarding for the Web server. Definitely worth checking out.
Poster
This was an easy THM room; essentially it’s default creds on a web-facing postgresql installation which allows for RCE (and a shell) via Metasploit. The privesc is finding some creds in a PHP config file; pretty simple.
Hannah
So this was an SSH private key in FTP with anonymous login for the foothold; trivial. The privesc was via /usr/bin/cpulimit with the SUID bit set. GTFObins doesn’t show the method for SUID for this binary; here are two I found:
This is making a local copy of bash; similar techniques are shown for other SUID binaries on GTFOBins, just not for this one.
In practice, it looks like this:
The second method is making a SUID binary of our own and then running it via cpulimit. The binary looks like this:
There are other variants of this code, but it’s essentially setuid to zero and call bash (or a reverse shell). There is no compiler on the box so you have to compile it on your attack machine and upload the binary. Then you can run:
hannah@ShellDredd:~/.ssh$ cpulimit -l 95 -f ./shell
Apart from this slightly different SUID binary, it’s fairly simple.