Complete guide to vulnversity Walkthrough
Vulnersity is free room of tryhackme, before get started let me remind something you need to complete this below rooms for better understanding
- #Level 1- intro
-OpenVPN https://tryhackme.com/room/openvpn
-Welcome https://tryhackme.com/jr/welcome
-Intro to Researching https://tryhackme.com/room/introtoresearch
-Learn Linux https://tryhackme.com/room/zthlinux
-Crash Course Pentesting https://tryhackme.com/room/ccpentesting
- Introductory CTFs to get your feet
-Google Dorking https://tryhackme.com/room/googledorking
-OHsint https://tryhackme.com/room/ohsint
-Shodan.io https://tryhackme.com/room/shodan
2.# Level 2 – Tooling
-Tmux https://tryhackme.com/room/rptmux
-Nmap https://tryhackme.com/room/rpnmap
-Web Scanning https://tryhackme.com/room/rpwebscanning
-Sublist3r https://tryhackme.com/room/rpsublist3r
-Metasploit https://tryhackme.com/room/rpmetasploit
-Hydra https://tryhackme.com/room/hydra
-Linux Privesc https://tryhackme.com/room/linuxprivesc
-Web Scanning https://tryhackme.com/room/rpwebscanning
Walkthrough
Task 1: Deploy the machine
Here in step one you have to need to do is just deploy the machine
Question 1: Deploy the machine
Answer : No answer needed
Task 2: Reconnaissance
First step of every CTF or penetration test is to perform recon phase on the target , here there are two types of recon active and passive
Active scanning:
An active vulnerability scanner sends transmissions of “test traffic” to the nodes or endpoints on the enterprise network. It then examines the responses received from these nodes to assess which node represents a weak point.
passive scanning:
A passive vulnerability scanner watches the network’s traffic flow to collect information about its systems and endpoints. Unlike active scanners, a passive scanner does not directly interact with these systems by sending a probe request or requesting a probe response
Here we are using nmap for network scanning nmap is open source tool which helps to detects host, network and more details basically we are gathering information about the machine I would like to suggest please go through https://tryhackme.com/room/furthernmap and this and comeback here
Now we are going to scan using nmap
scan the box: nmap -sV <machines ip>
Question 1: There are many nmap “cheatsheets” online that you can use too.
answer: No answer needed
Question 2: Scan the box, how many ports are open?
answer: 6
Question 3: What version of the squid proxy is running on the machine?
answer: 3.5.12
Question 4: How many ports will nmap scan if the flag -p-400 was used?
answer: 400
Question 5: Using the nmap flag -n what will it not resolve?
answer: DNS
Question 6: What is the most likely operating system this machine is running?
answer: ubuntu
answer: no answer needed
Task 3: Locating Directories using GoBuster
Here we are going to deep dive into directory here we are going to use tool called gobuster for fast directory discovery
To download Gobuster for kali linux use this command
sudo apt-get install gobuster
if you are using Kali Linux you can find many wordlists under /usr/share/wordlists.
Now lets run GoBuster with a wordlist: gobuster dir -u http://<ip>:3333 -w <word list location>
Question: What is the directory that has an upload form page?
answer: /internal/
Task 4: Compromise the webserver
now we already found a form to upload files , now we can leverage this upload and execute our payload and compromising the web server
Question 1: What common file type, which you’d want to upload to exploit the server, is blocked? Try a couple to find out.
answer: .php
Question 2: We’re going to use Intruder (used for automating customised attacks). To begin, make a wordlist with the following extensions in:
To do this, we’re going to use BurpSuite. If you are unsure to what BurpSuite is, or how to set it up please complete our BurpSuite room first
now we are going to use intruder to begin , make a wordlist with the following extension in:
Now make sure BurpSuite is configured to intercept all your browser traffic. Upload a file, once this request is captured, send it to the Intruder. Click on “Payloads” and select the “Sniper” attack type.
Click the “Positions” tab now, find the filename and “Add §” to the extension. It should look like so
Question 3: Run this attack, what extension is allowed?
answer: .phtml
Question 4: What is the name of the user who manages the webserver?
answer: Bill
Question 5: What is the user flag?
answer: 8bd7992fbe8a6ad22a63361004cfcedb
Task 5: Privilege Escalation
Now that we have gained a foothold, it’s time to escalate our privileges! This is a hugely important part of pentesting, commonly referred to as privesc.
In this example, we are going to be exploiting SUID file permissions
Question 1: On the system, search for all SUID files. What file stands out?
answer: /bin/systemctl
Question 2: Become root and get the last flag (/root/root.txt)
answer: a58ff8579f0a9270368d33a9966c7fd5
Boom! we did it congrats!!!🥳