TryHackMe: Vulnversity Walkthrough

Task [1]: Deploy the machine

Task [2]: Reconnaissance

Read the information given. Nmap tool is used to gather the information.

I used the command: nmap -sSV -Pn MACHINE_IP_ADDRESS to get the answer to the questions 2,3,6 and 7.

And to get the answer to questions 4 and 5 I used the command: nmap -h

Task [3]: Locating directories using GoBuster

Read the information carefully. GoBuster is very useful tool for directory discovery. I used the command:

gobuster dir -u http://MACHINE_IP_ADDRESS -w /usr/share/wordlists/dirb/common.txt

  • dir is used to specify that we want to discover directory.
  • -u is used to define URL
  • -w is used to specify the path to wordlist

Task [4]: Compromise the webserver

Visit MACHINE_IP_ADDRESS/directory/. A file upload page appears through which we can compromise the web server. Try various types of files like .txt, .html, .php, etc. Check which can be uploaded successfully.

The files are blocked by the web server.

Create a list of various file extensions that are mentioned in the information part and use burp suite to try those extensions.

  • Intercept the request in burp suit.
  • Send the request to Intruder.
  • Click the “Positions” tab. Now, find the filename and “Add §” to the extension.
  • Click on the “Payloads” tab to add the extensions list and click on “Start attack”.
  • Find out the extension which is allowed.

Now we know the extension of file which we can upload on the web server. Download the reverse PHP shell which is provided in the information.

To gain remote access to the machine, follow the steps as given in the information:

  • Create a listener using netcat .
  • Navigate to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml
  • As soon as we navigate to the shell script we will see a connection on netcat session.
  • Use command python -c ‘import pty; pty.spawn(“/bin/bash”)’ to get TTY shell.
  • Use command ls to list files and folders.
  • In Linux file system we get user name in home directory. So change directory to home. There we get the user and the user flag.

Task [5]: Privilege Escalation

Read the information.

Use the command find / -perm -u=s 2>/dev/null to search for SUID files.

Search for GTFOBins in browser. Visit gtfobins.github.io

GTFOBins is a list of unix binaries which can be exploited by the attacker. Search each binary in GTFOBins to find out which can be exploited.

/systemctl directory can be exploited. GTFOBins contains the set of commands which can be used to exploit the directory.

Follow the commands for Privilege Escalation and read the content of /tmp/output to get the flag. Here is the root flag…

Thank you …

Keep learning :-)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sakshi Aggarwal

Sakshi Aggarwal

66 Followers

Digital forensics enthusiast | Cyber security | Bug hunter | Java | Python | Analyzer