Vulnversity writeup ~ TryHackMe
Vulnversity
This room is based on active recon, web app attacks and privilege escalation
Task 1: Deployment
The first and most important task is to deploy the machine on which we can perform the attacks and complete all the subsequent task, then the vulnerable machine IP is assigned to us and the time to solve all the task of room.You can also increase the time of room machine.
Task 2: Reconnaissance
The best tools for recon is none other than nmap.
The below are some command of nmap which will we used in our recon:-
Scan Result:
Note: If we don't specify any port and scan technique by default nmap will perform scan on the most common 1,000 ports for each protocol and Perform default -sS SCAN TECHNIQUES.
From the scan results, we get the following answers:
- 6 ports are open
- Squid version 3.5.12 is running
- Ubuntu
- The web server is running on port 3333
Answers to some other questions are:
-p-400
will check the first 400 ports- The flag
-n
will not perform DNS resolution
Task 3: Locating directories using ffuf
This task is all about learning basics related to ffuf which is a directory discovery tool.This tryhackme room ask us to used gobuster which is also used for discovery tool but you can used any tool it your choice.
Moving forward, we can run the ffuf to check all the directories.
We run the following command to get a list of all the directories:ffuf-u http://<machine IP>:3333/FUZZ -w <wordlist path>
ffuf Result:
So /internal have upload form in which we can upload our file to get reverse shell
Task 4 : Compromising Web Server
Now we have found /internal is where we can upload our file,So when we trying to upload the .php file it gives us this result:
The .php extension it is giving us error that extension not allowed .There are two ways to find what extension we can be uploaded:-
- We can use burpsuite to intercept the request and FUZZ it with extension.
- Secondly we can use any tool such as ffuf to find extension using SecLists/Discovery/Web-Content/web-extensions.txt wordlist.
So we will used first method, now in this room we have already given some extension which we can we used to get correct extension to run php:
- .php
- .php3
- .php4
- .php5
- .phtml
We intercept our request and send to intruder and select attack type as Sniper:
Just copy and paste our extension.
As we Can See that all the extension have same size but .phtml have different size So this is the extension which is allowed.
As we can see that our rev.phtml extension is uploaded which have reverse shell inside it.
So when we click our upload file it connects to our machine
When we do ls in our home directory we get our username
Flag !
From the Compromising Server Section, we get the following answers:
- Server is blocking .php extension.
- When we Fuzz Extension form Intruder .phtml extension is allowed.
- The name of user bill.
- The Usre.txt flag 8bd7………………………..db.
Task 5: Privilege Escalation
We can use the following command to list SUID files:
find / -type -f -perm -04000 -ls 2>/dev/null
/bin/systemctl stands out, at it is used to control and monitor services!
So when we search on GTFOBIN we get the code to Escalate Privilege,after making some changes the code is:
We create this above code in our machine,So we have to send it to low Privilge room machine,that why we start http sever.
wget to download root.service from our local machine
Then we run this command on our low Privilege machine
This will give us root access in our local machine because if you have look at root.service it is connecting to us when we do systemclt start root
From the Privilege Escalation , we get the following answers:
- /bin/systemctl stands out in SUID files.
- We get the root flag a5………………………………..d5.
We are done! Great job everyone.