TryHackMe – Vulnversity
1. Task 1 can be completed by download the VPN file provided by tryhackme and running openvpn upon it with the given command: sudo openvpn <filename>
Task 2 – Begins
2. The next step is to scan the network. I performed an aggressive scan using nmap and since it would be too slow I sped it up using timing as 4.
3. This provided us with the number of ports open as 6 which will be used in our task 2. It also gave us the version of squid proxy running which is 3.5.12.
4. The next questions answer is 400. Let me explain why. -p is used to provide port/s to scan. This can be provided as a number, some comma separated numbers or a range. -p-400 is same as -p 1-400. This shows that ports 1 through 400 would be scanned.
5. The next answer is DNS. This can be seen in the man page of nmap. Open it using the command man nmap. The press forward slash (/) for searching. Then type -n and press enter. Remember this trick to search for something in man pages.
6. This maching is running ubuntu. This can be seen in its nmap scan.
7. Web server is running on port 3333. This is also shown in the nmap scan. The name of the web server is Apache httpd 2.4.18.
Task 3 – Begins
8. The next challege is to locate hidden directories and files on the server. This can be done using GUI tools such as dirbuster or CLI tools such as gobuster, ffuf, etc.
9. For this I first tried ffuf and then also tried gobuster since thats what the challenge wants us to use. So lets do that. The command used here is: gobuster dir -u http://10.10.40.215:3333 –wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
10. Checking them one by one I found an upload form on /internal. Thats the answer to our task 3. The upload form can be seen on the url: 10.10.40.215:3333/internal
13. I’ve also created a file with lots of extensions to check against this position. This will be uploaded into the payload section.
28. Now what SUID bit means is that the file would requires admin privileges for a part of its functioning. Not the whole file but a small part of it requires admin privileges. Searching on google I came across this article which helped me in escalating my privileges.
29. The article explains that we will be creating a service file and then ask systemctl to run it for us. In this file we’ll ask for admin privileges and since the systemctl file has SUID bit set it will be allowed to do so.
30. Now I created a new directory using the following command: mktemp -d
31. Then I created a new file (lets say file.service) and pasted the code in it. This code provides us with a reverse shell. So we have to start our listener service in order to receive it. The command for it is: nc -lvnp 9999
32. Then I followed the next two lines of the article and got the reverse shell.
33. The last step is to cd to the root directory and cat the only file there.
Congratulations, you’ve completed the challenge and thanks a lot for reading my article. Let me know if you need any clarification on any of the step.