Tryhackme Vulnversity walkthrough

Posted by By admin 6 Min Read

Complete guide to vulnversity Walkthrough

Vulnersity is free room of tryhackme, before get started let me remind something you need to complete this below rooms for better understanding

  1. #Level 1- intro
    -OpenVPN https://tryhackme.com/room/openvpn
    -Welcome https://tryhackme.com/jr/welcome
    -Intro to Researching https://tryhackme.com/room/introtoresearch
    -Learn Linux https://tryhackme.com/room/zthlinux
    -Crash Course Pentesting https://tryhackme.com/room/ccpentesting
  • Introductory CTFs to get your feet 

-Google Dorking https://tryhackme.com/room/googledorking
-OHsint https://tryhackme.com/room/ohsint
-Shodan.io https://tryhackme.com/room/shodan

 

 

2.# Level 2 – Tooling
-Tmux https://tryhackme.com/room/rptmux
-Nmap https://tryhackme.com/room/rpnmap
-Web Scanning https://tryhackme.com/room/rpwebscanning
-Sublist3r https://tryhackme.com/room/rpsublist3r
-Metasploit https://tryhackme.com/room/rpmetasploit
-Hydra https://tryhackme.com/room/hydra
-Linux Privesc https://tryhackme.com/room/linuxprivesc
-Web Scanning https://tryhackme.com/room/rpwebscanning

Walkthrough

Task 1: Deploy the machine

Here in step one you have to need to do is just deploy the machine

Question 1: Deploy the machine

Answer : No answer needed

Task 2: Reconnaissance

First step of every CTF or penetration test is to perform recon phase on the target , here there are two types of recon active and passive

Active scanning:
An active vulnerability scanner sends transmissions of “test traffic” to the nodes or endpoints on the enterprise network. It then examines the responses received from these nodes to assess which node represents a weak point.

passive scanning:
A passive vulnerability scanner watches the network’s traffic flow to collect information about its systems and endpoints. Unlike active scanners, a passive scanner does not directly interact with these systems by sending a probe request or requesting a probe response

Here we are using nmap for network scanning nmap is open source tool which helps to detects host, network and more details basically we are gathering information about the machine I would like to suggest please go through https://tryhackme.com/room/furthernmap  and this and comeback here

Now we are going to scan using nmap

scan the box: nmap -sV <machines ip>

Question 1: There are many nmap “cheatsheets” online that you can use too.

answer: No answer needed

Question 2: Scan the box, how many ports are open?

answer: 6

 

Question 3: What version of the squid proxy is running on the machine?

answer: 3.5.12

Question 4: How many ports will nmap scan if the flag -p-400 was used?

answer: 400

 

Question 5: Using the nmap flag -n what will it not resolve?

answer: DNS

 

Question 6: What is the most likely operating system this machine is running?

 

answer: ubuntu
Question 6: Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)
answer: no answer needed

Task 3: Locating Directories using GoBuster

Here we are going to deep dive into directory here we are going to use tool called gobuster for fast directory discovery

 

To download Gobuster for kali linux use this command

sudo apt-get install gobuster

if you are using Kali Linux you can find many wordlists under /usr/share/wordlists.

Now lets run GoBuster with a wordlist: gobuster dir -u http://<ip>:3333 -w <word list location>

 

Question: What is the directory that has an upload form page?

answer: /internal/

Task 4: Compromise the webserver

now we already found a form to upload files , now we can leverage this upload and execute our payload and compromising the web server

Question 1: What common file type, which you’d want to upload to exploit the server, is blocked? Try a couple to find out.

answer: .php

Question 2:  We’re going to use Intruder (used for automating customised attacks). To begin, make a wordlist with the following extensions in:

 

To do this, we’re going to use BurpSuite. If you are unsure to what BurpSuite is, or how to set it up please complete our BurpSuite room first

now we are going to use intruder to begin , make a wordlist with the following extension in:

Now make sure BurpSuite is configured to intercept all your browser traffic. Upload a file, once this request is captured, send it to the Intruder. Click on “Payloads” and select the “Sniper” attack type.

Click the “Positions” tab now, find the filename and “Add §” to the extension. It should look like so

 

Question 3: Run this attack, what extension is allowed?

answer: .phtml

Question 4:  What is the name of the user who manages the webserver?

answer: Bill

Question 5: What is the user flag?

answer: 8bd7992fbe8a6ad22a63361004cfcedb

Task 5: Privilege Escalation

Now that we have gained a foothold, it’s time to escalate our privileges! This is a hugely important part of pentesting, commonly referred to as privesc.

In this example, we are going to be exploiting SUID file permissions

Question 1: On the system, search for all SUID files. What file stands out?

answer: /bin/systemctl

Question 2: Become root and get the last flag (/root/root.txt)

answer: a58ff8579f0a9270368d33a9966c7fd5

Boom! we did it congrats!!!🥳

Tags: