Hi guys welcome to the tryhackme walkthrough series.In this blog we are going to take a look on vulnversity you can find this room roomby searching "vulnversity"in hacktivities section.
Vulnversity
This a basic machine mainly focus on recoinasance, enumeration, gaining access by uploading file and privilege escalation.
Complete this machine with mobile
If you want to play tryhackme machines in mobile check my previous blog in which I explained about how to setup tryhackme in mobile
Task[1] DEPLOY THE MACHINE
Deploy the by clicking on start machine.
Task[2] RECOINASANCE
Let's scan the machine with nmap
nmap -sV ipAddress
Question
Scan the box, how many ports are open?
6
Question
What version of the squid proxy is running on the machine?.
3.5.1
Question
How many ports will nmap scan if the flag -p-400 was used?
Question
Using the nmap flag -n what will it not resolve?
Question
What is the most likely operating system this machine is running?
Ubuntu
Question
What port is the web server running on?
3333
Task[3] LOCATING DIRECTORIES USING GOBUSTER
Question
What is the directory that has an upload form page?
Let's explore the http website.Go to internal directory
Here you can see we can upload files.So let's upload pho reverse shell.
When you upload file with extension of .php it will reject the file.We have to find which extension is allowed.Intercept the traffic with burpsuite.Right click and send to intruder
Go to intruder section.At payload options add some payloads.
Then go to positions and add clear all position then add postion to extension. Change attack type to sniper then start the attack by clicking on start attack.The attack will get launched.
But we didn't see any difference in length so let's try manually uploading the files.
It actually took the .phtml file
We have uploaded the reverse shell then to directory of /internal/uploads
We can see we have uploaded here
Let's start the netcat by executing the below command in terminal
nv -lvnp 1234
Then click on the reverse shell file we have uploaded .
We have got a reverse shell .
Question
Run this attack, what extension is allowed?
.phtml
by checking file file /etc/passwd we come to know that user bill has the eccess to bash
Question
What is the name of the user who manages the webserver?
bill
We can go to /home/bill there we find user.txt file cat that file to see user flag
What is the user flag?
8bd7992fbe8a6ad22a63361004cfcedb
Task[5] privilege escalation
From the hint we have this command given below
find / -user root -perm -4000 -exec ls -ldb {} \;
By running that command we see that /bin/systemctl is a SUID file.We will use this file to do privilege escalation.Lets search about systemctl in gtofbins
Question
On the system, search for all SUID files. What file stands out?
Reference
https://gtfobins.github.io/gtfobins/systemctl/
We have to create a temporary service then use that to view the root.txt file.Use the commands give below to get root access .
TF2=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output">
WantedBy=multi-user.target' > $TF2
/bin/systemctl link $TF2
/bin/bash -p
We have got privilege access.type whoami command to check the user is root or not .
We are root user now so go to root directory there you can find root.txt file cat that file we can get the flag
Question
Become root and get the last flag (/root/root.txt)
a58ff8579f0a9270368d33a9966c7fd5
We have successfully completed this machine.