1. Deploy the Machine

Standard, nothing to note here.

2. Reconnaissance

Scan the machine, how many ports are open? Nmap is free and open source utility for network discovery and security. Nmap.org I'll use it to map our which ports are open on the machine. The Nmap scan I will run on this machine is: nmap -sC -sV (machine IP) -sC flag designates: 'script default', and will check for any scripts running while it checks the ports. -sV flag designates: Service/Version, and will check for services running on those ports, as well as associated versions.

Scan the Machine using Nmap

using Nmap -sC -sV (machine_IP), I was able to find two open ports, 22, which is running the service ssh, using OpenSSH version 7.6p1, on an Ubuntu Server. 80, which is running the service http, using apache 2.4.29, on an Ubuntu Server. More information on how I use Nmap can be found here: %[network-mapping-or-nmap]

Finding Directories using GoBuster

Once I knew there was an http site running, I had a few options on how to enumerate/find any directories on the site. GoBuster was one, but Dirbuster, and ffuf were other options I could have used.

The command I used was: "gobuster dir -u http://(machine_ip) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50"

This took some time. Let me break down for you what this command is doing. 'gobuster' designates the application call. 'dir' argument designates 'directory/file enumeration' mode. 'http://(machine_ip)' is the fqdn (fully qualified domain name) of the site. '-w (file_path)' designates a specific wordlist for GoBuster to use. '-t 50' designates the amount of threads or 'open connections' to the http site at one time. the default is 10, but I used 50 because I am impatient and 10 was taking too long.

Results of GoBuster

Eventually, a few directories were found. /panel/, /uploads/, /css/, /js/,

Something to take note of, is under /panel/, we are able to arbitrarily upload files, of which we can then view at /uploads/ Perhaps we can use this to upload something executeable...

3. Getting a Shell

Getting a Reverse Shell can sometimes be completed by opening up a listener on your attacker machine, such as netcat, and then uploading a .php file with a malicious payload, then 'opening' the file on the webpage in question, and having that payload execute, calling home to your attacking machine.

Online I was able to find this site: https://www.revshells.com/, which has many pre-built 'reverse shell' payloads available. Now that I have a reverse shell payload selected, I'll set up my netcat listener.

nc -lvnp 1337 'nc' designates the application call for 'netcat' '-lvnp 1337', l = listen mode, v = verbose, n = numeric ip address (no dns), p 1337 = which local port to listen on.

I am using the 'PHP PentestMonkey' reverse shell template, and have created a file called 'RevShell.php', with the payload in it. then, I made sure this file was executable by using the following command to change permissions on the file. 'sudo chmod +x RevShell.php' Now, I'll go to (machine_ip)/panel/ to upload my file.

BUT! It looks like the upload of .php files is blocked! Time to find a way around this...

File Upload Restriction Bypass

I could probably write an entire blog on this, but for the purposes of this room in TryHackMe, there are a few specifics you need to know... Some websites whitelist or blacklist file uploads by extension type. .php extension is blocked in this case, and we need to find a way to upload our payload to execute it from the remote machine. For more information, here is an awesome article from exploit-db.com: File Upload Restriction Bypass

Anyways, this part will take some trial and error until you find a way to get past the websites blacklisting of your file extensions. Eventually, I found that 'RevShell.php5' was able to be uploaded successfully, and as long as I remembered to make that file executeable, I was able to run it from the remote machine, simply by opening up that .php site from the web.

With any luck, you should now see a shell open in your netcat terminal, but this isn't a stable shell, and if you're not careful you'll have to re-establish this session.. let's spawn a stable shell using python!

python -c 'import pty;pty.spawn("/bin/bash")' should do the trick.

Now that we have a bash shell open, let's look for that user.txt flag.

Finding files in linux

we can use the 'find' tool to find specific files on a linux system. 'find / -type f -name file-to-find.ext' is the format. looks like there are a bunch of directories we don't have access to yet, luckily, the file we were looking for happens to be somewhere that we can access!

The first thing you might want to do when you finally access a shell of a machine is celebrate, but there might be some heavy restrictions on the user level permissions you've obtained. check around using some of the following commands: whoami sudo -l

4. Privilege Escalation

Now that we have a shell, let' escalate our privileges to root. We're prompted here to find files with SUID permissions. SUID permission level means 'Set owner User ID', which essentially means that if an application or script is set with this level of permissions, that when the command is run to launch this application, it's effective user ID becomes that of the owner of the file, instead of the user running it.

We can search for such files using the following command. find / -user root -perm -4000 -print 2>/dev/null

From here, look through all of the different applications and look for one that you might be able to use to leverage that applications permissions, to execute arbitrary code. Python is a popular scripting language, so I bet we can do something with that. GTFOBins is an awesome resource for priv esc. I'm going to search for python here, and find something I think I can use. (hint: SUID)

The snippet of code I found on GTFOBins to escalate privileges is: python -c 'import os; os.execl("/bin/sh", "sh", "-p")' which worked well.

Now we have root level permissions, running via the shell we opening via python. Finally, we're prompted to find the root.txt flag, which we can do the same way we found the user.txt flag earlier!