Close Menu
    CTF

    Tryhackme Vulnversity walkthrough

    By Updated:No Comments5 Mins Read

    Complete guide to vulnversity Walkthrough

    Vulnersity is free room of tryhackme, before get started let me remind something you need to complete this below rooms for better understanding

    1. #Level 1- intro
      -OpenVPN https://tryhackme.com/room/openvpn
      -Welcome https://tryhackme.com/jr/welcome
      -Intro to Researching https://tryhackme.com/room/introtoresearch
      -Learn Linux https://tryhackme.com/room/zthlinux
      -Crash Course Pentesting https://tryhackme.com/room/ccpentesting
    • Introductory CTFs to get your feet 

    -Google Dorking https://tryhackme.com/room/googledorking
    -OHsint https://tryhackme.com/room/ohsint
    -Shodan.io https://tryhackme.com/room/shodan

     

     

    2.# Level 2 – Tooling
    -Tmux https://tryhackme.com/room/rptmux
    -Nmap https://tryhackme.com/room/rpnmap
    -Web Scanning https://tryhackme.com/room/rpwebscanning
    -Sublist3r https://tryhackme.com/room/rpsublist3r
    -Metasploit https://tryhackme.com/room/rpmetasploit
    -Hydra https://tryhackme.com/room/hydra
    -Linux Privesc https://tryhackme.com/room/linuxprivesc
    -Web Scanning https://tryhackme.com/room/rpwebscanning

    Walkthrough

    Task 1: Deploy the machine

    Here in step one you have to need to do is just deploy the machine

    Question 1: Deploy the machine

    Answer : No answer needed

    Task 2: Reconnaissance

    First step of every CTF or penetration test is to perform recon phase on the target , here there are two types of recon active and passive

    Active scanning:
    An active vulnerability scanner sends transmissions of “test traffic” to the nodes or endpoints on the enterprise network. It then examines the responses received from these nodes to assess which node represents a weak point.

    passive scanning:
    A passive vulnerability scanner watches the network’s traffic flow to collect information about its systems and endpoints. Unlike active scanners, a passive scanner does not directly interact with these systems by sending a probe request or requesting a probe response

    Here we are using nmap for network scanning nmap is open source tool which helps to detects host, network and more details basically we are gathering information about the machine I would like to suggest please go through https://tryhackme.com/room/furthernmap  and this and comeback here

    Now we are going to scan using nmap

    scan the box: nmap -sV <machines ip>

    Question 1: There are many nmap “cheatsheets” online that you can use too.

    answer: No answer needed

    Question 2: Scan the box, how many ports are open?

    answer: 6

     

    Question 3: What version of the squid proxy is running on the machine?

    answer: 3.5.12

    Question 4: How many ports will nmap scan if the flag -p-400 was used?

    answer: 400

     

    Question 5: Using the nmap flag -n what will it not resolve?

    answer: DNS

     

    Question 6: What is the most likely operating system this machine is running?

     

    answer: ubuntu
    Question 6: Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)
    answer: no answer needed

    Task 3: Locating Directories using GoBuster

    Here we are going to deep dive into directory here we are going to use tool called gobuster for fast directory discovery

     

    To download Gobuster for kali linux use this command

    sudo apt-get install gobuster

    if you are using Kali Linux you can find many wordlists under /usr/share/wordlists.

    Now lets run GoBuster with a wordlist: gobuster dir -u http://<ip>:3333 -w <word list location>

     

    Question: What is the directory that has an upload form page?

    answer: /internal/

    Task 4: Compromise the webserver

    now we already found a form to upload files , now we can leverage this upload and execute our payload and compromising the web server

    Question 1: What common file type, which you’d want to upload to exploit the server, is blocked? Try a couple to find out.

    answer: .php

    Question 2:  We’re going to use Intruder (used for automating customised attacks). To begin, make a wordlist with the following extensions in:

     

    To do this, we’re going to use BurpSuite. If you are unsure to what BurpSuite is, or how to set it up please complete our BurpSuite room first

    now we are going to use intruder to begin , make a wordlist with the following extension in:

    Now make sure BurpSuite is configured to intercept all your browser traffic. Upload a file, once this request is captured, send it to the Intruder. Click on “Payloads” and select the “Sniper” attack type.

    Click the “Positions” tab now, find the filename and “Add §” to the extension. It should look like so

     

    Question 3: Run this attack, what extension is allowed?

    answer: .phtml

    Question 4:  What is the name of the user who manages the webserver?

    answer: Bill

    Question 5: What is the user flag?

    answer: 8bd7992fbe8a6ad22a63361004cfcedb

    Task 5: Privilege Escalation

    Now that we have gained a foothold, it’s time to escalate our privileges! This is a hugely important part of pentesting, commonly referred to as privesc.

    In this example, we are going to be exploiting SUID file permissions

    Question 1: On the system, search for all SUID files. What file stands out?

    answer: /bin/systemctl

    Question 2: Become root and get the last flag (/root/root.txt)

    answer: a58ff8579f0a9270368d33a9966c7fd5

    Boom! we did it congrats!!!🥳

    Author

    Share.

    Related Posts

    Add A Comment
    Leave A Reply