This blog post will be sort of a walkthrough for the TryHackMe room, Vulnversity. For learning the basics of active recon, web app attacks and privilege escalation.

As always, I won't be revealing the actual flags, rather I will guide you to them.

After starting the machine and connecting to the TryHackMe server(either by vpn or using their own web-based OS), the IP of the vulnerable machine is revealed (after a few seconds of course). If you're using VPN connection you can also ping the given IP to ensure you're properly connected.

The first part is recon using Nmap. Pretty straightforward, enter the following command: nmap -sV <insert the machine's IP here>. The -sV tag to get the version of the identified ports.

From the Nmap scan result you will be able to identify how many ports are open and the version of the squid proxy.

By reading the intro of part 2, you should be able to also answer the next two questions.

The most likely OS the vulnerable machine is running is also in the nmap scan (hint: it's not windows, lol). Same as the next question about the port the web server is running on.

Moving to the third part: discovering directories.

I normally use dirbuster for this(but you can also use gobuster). Just choose any suitable list. If you're using kali linux, you can use the medium.txt list or the small.txt list. Depending on your connection it could take a few seconds to almost a minute. To find the directory with the upload form page you just try the discovered directories one after the other. Remember to add the port after the IP.

Time to compromise the webserver. Obviously, when we find a way to send data to a website's backend we try to understand what exactly is allowed and what is blocked (talking from a PHP perspective).

To do this we can make a list called php.txt and add the following to it: .php .php1 .php2 .php3 .php5 and .phtml, each on a new line.

We can now go to burp suite's intruder, configure the network settings to use burp's proxy and send a request from the website. We go back to burp and send the entire intercepted request to the intruder.

Clear all the positions first then add the file extension part of the request. Make sure it's on Sniper attack mode. Then move to the payloads tab and add our php.txt list. You can now click attack.

From the results, we can see that all php extensions are not allowed except .phtml which is our gateway to exploiting the website (**evil laughter, evil laughter**).

We can now download the php reverse shell script from GitHub and change the file extension to .phtml. You can always use gitclone command followed by the full url path (for some reason mine refused to work this way so you can also just copy and paste the code into a new php document).

Before uploading the reverse shell code you have to edit the IP in the code to your own IP address (remember if you connected via THM VPN you have a new IP different from your system's actual IP). After editing you can now upload the code on the website. Before navigating to the website you have to enable netcat first via nc -lvnp 1234. You can now navigate to the reverse shell url on the website to gain the shell.

Playing around a little bit will the file hierarchy and you will find out the name of the user is B**l (😁😁). To find the user flag just read the user.txt file.

Now to escalate our privileges. We have gained a shell, excellent but we are still just a user and not root(admin) yet. The intro talks about SUID files. To find the required file use the command given in the hint.

Now for the final part, to read the root.txt file (proof that we rooted the machine). Search the following url: https://gtfobins.github.io, search for system/ctl, copy the SUID binary. Then make a new document named sudo.txt(or something else man idgaf) and paste the code in there. Edit to include bin and chmod -s /bin/bash (you get the idea).

Go back to your shell.

You can now bash -p. Then cat the root.txt file. The flag is revealed. 😈😈

CONGRATS YOU HAVE ROOTED THIS MACHINE.

Next post will be on pwning a windows machine (https://tryhackme.com/room/blue)

PS: This post was originally made on 15-06-2021.