TryHackMe - Vulnversity Walkthrough
Key Takeaways
This video demonstrates a walkthrough of the Vulnversity challenge on TryHackMe, covering reconnaissance, web application exploitation, and Linux privilege escalation using tools like nmap, GoBuster, Burp Suite, and netcat.
Full Transcript
[Music] hey guys hackersploit here back again with another video welcome back to the try hack me series in this video we're going to be taking a look at von versity so this particular room is set out to teach you how to perform active reconnaissance uh web application attacks and privilege escalation so i've already started the machine or this particular box and the the actual tasks are sorted in in the form of phases so you have your your deployment you then have reconnaissance uh directory brute forcing with go buster uh your initial exploitation phase and finally privilege escalation so let's go through it i've already deployed my machine let's take a look at the reconnaissance phase and the reconnaissance essentially involves performing an nmap scan to detect the uh the open ports and the services that are running on these ports as well as some basic operating system detection but the first thing you can see it says is scan the box how many ports are open so i've already performed the scan and i'll just i'll actually you know we'll actually go through it together so if we take a look at the actual scan here we can see that we have one two three four five six so we have six ports we'll just provide the amount there or the quantity there there we go so that's the correct answer what version of squid proxy is running on the machine let's take a look at that so we have squid proxy it is 3.5.12 by the way you can take a look at my nmap options right over there so let's provide the version number so five point one two and it's going to ask us how many ports will an nmap scan uh how many ports will nmap scan if the flag be 400 was used so that means it's going to scan 400 ports there we are so that is correct uh using the nmap flag n what will it not resolve that's obvious that is dns uh by the way you can easily get the answers to these uh you know if you're familiar with how to if i say for example uh man nmap and then we can grep and we can use an expression and the expression is going to be n so that is dns resolution so there we also no dns resolution so that is fairly easy to enumerate so we'll hit submit it's going to ask us what is the most likely operating system that this machine is running from the various banners that we were able to enumerate i'll just um let me just scroll to the top here actually can um like no let me just cut out the end map results for you there we are um so from uh operating system detection standpoint you can see that the banners tell us that we're running ubuntu so i can just provide ubuntu as the answer here here we are and it's going to ask us what port is the web server running on so if we take a look at this we don't have anything running on port 80 uh we have the squid proxy which is on 3128 and the web server is on 3333 so we can actually try and open that up i'll copy the ip there and we'll just paste that in there three three three three hit enter and it takes us to a web page all right so that is 3333 hit submit so it's going to say it's important to ensure you're always doing your reconnaissance thoroughly before progressing knowing all open services which can be all points of exploitation is very important don't forget that ports on a higher range might be open so always scan ports after a thousand so that means uh essentially just scan through all the entire tcp port range as well as udp which is 65 535 and that can be done by specifying the option uh minus b minus uh when performing your nmap scan alright so we'll hit complete there and that is done we can move on to the the actual directory brute forcing phase which is done with go buster which is great um so it essentially gives you an introduction to go bust in how to install it on kali and what we have to do is to primarily perform a directory brute force on the web server and our job is i'm guessing to locate there we are so we need to locate the actual name of the upload form page all right so to do this we'll simply say sudo go buster and we say url is going to be i think i've pasted that there so there we are that's the correct url and http there we are and we will then say this is port 3333 word list um and we'll say user share uh sec lists and we'll use web content uh actually we need to use uh discovery uh discovery and we then say web content and we can use common the common options which uh which should be here so that way it's common dot txt right and we hit enter and it's going to begin the um the actual directory brute forcing unknown flag i think that's just you let me just change that to you there we are some reason that is not the correct option that's weird i'm pretty sure that is the actual syntax um so go bust uh directory up i forgot to specify directory brute forcing that's my bad uh word list uh just say word list that we are so that's going to start the directory brute forcing and we'll give this a few seconds you know to the point where it actually discovers some interesting directories or in this case the upload form page all right so we were able to detect a directory called internal let's check that out and see whether that yields anything interesting so internal and um yeah there we are so that looks like the actual upload form so i'm just going to specify that here so internal and we'll hit submit that is the upload form and that is correct so we've completed the directory brute forcing which i think we should have done now so let me just hit complete there there we are all right so we can move on to the initial exploitation phase which involves compromising the web server so it says now that you've found a form to upload files we can leverage this to upload and execute our payload that will lead to the compromising of the web server uh try upload uh try to upload a few a few file types to the server what common extension seems to be blocked so we're trying to bypass the upload filters here um so what i'll do firstly let me just terminate the go bust scan here or the actual brute force here what i'll do is i will i think i have a reverse shell on my desktop let me just check if i have the php reverse shell uh there we are shells and this is under php reverse shell there we are and uh we'll just copy the php reverse shell into our current directory and we'll just move it from php reverse shell and i'll just call it shell.php right um so we can actually use um burp suite just to try and analyze the actual request here so i'm just going to say use burp for all proxies and we'll start up burp suite here so we'll give that a few seconds to start up and i'll hit close next start burp and we want to make sure that intercept is enabled so proxy intercept is on and then we'll just browse and specify the shell.php file here and hit submit all right so for the accept parameter here we can see that we have html xhtml xml image for images we have a web b apng but nothing else so it doesn't really give us the allowed extensions um so as per what this is saying here uh we need to see what common extensions seem to be blocked so we can actually test this um with the php shell which we just sent over and it says extension is not allowed so i'm guessing that is the extension that's being blocked as we are running this on a linux server um so just disable foxy proxy there so this is going to be php and then i can hit submit and that is correct all right so to identify which extensions are blocked are not blocked we are going to files them we're going to fast the upload form to do this we're going to use burp suite if you're unsure of what burp sweet is you can check out the web suite room we'll probably take a look at that there so we'll just hit complete um so it's going to say we're going to use intruder for used for automating customized attacks or brute force attacks uh commonly used uh you know to brute force login pages in this case even upload we can pretty much specify any parameter that we want to brute force um to begin make a word list with the following extension so it's going to ask us to actually create a file that contains a list of extensions that we can then test for right to see which one will be accepted so i'll just say vim extensions or we'll just call it extensions dot txt and we'll just say we need to use their options which is php to php html right so dot php php3 php4 php5 and phtml hp html correct all right so those are the extensions um so we now need to intercept a request i'm guessing and then specify the payload for the file extension so click the positions tab and then add the actual extension so that is dot php and add that and we're using the sniper attack and we then run the attack and see what extensions are allowed okay so we can do that now i'm just going to try and resubmit the php file again and we'll intercept that we'll just use burp there and hit submit there we are and we now want to send this to the intruder and within the intruder we want the position we'll just clear the automatic positions that they added and we want to add the extension position we want to hit add the attack type is sniper for the payload we're just going to use a simple list and load the list that we created which is extensions.txt hit open and we can then hit start the attack uh hopefully this gives us the results we're looking for so it looks like it's giving uh it's giving us you know the same response for every extension which i'm not sure should be happening is there url encoding there i think that uh that might be the issue there as well um so we can i think we can change this within the request so that is there um and then can we url encode that uh url encode as you type um sorry shell.php uh let's just add that again as the parameter so add and let's try and select that there that should work i'm not really sure why it isn't working as it's already highlighted here but we can manually test them as well so around this attack what extension is allowed so we need to actually determine that extension and then we can use the same reverse shell to get a shell here and we can then get the user flag all right so um what i'll do is we'll just try and rename this to maybe we can we can actually uh the actual hint here as it says looks like it's uh five characters so we can try php html so move shell dot php to shell.phtml html there we are and we can try and upload and test to see whether this works and for the proxy here i'll just hit forward and you know what we can actually just disable foxy proxy now so choose file shell.phtml and hit submit and yeah that looks like it worked all right so we now need to set up our netcat listener so netcat nvlp1234 by the way i think i had already configured the shell but uh they configured the shell shell.p html i think i've already customized it no i did not so we'll have to upload a new one my bad uh so let me just get my ip address here um so ipas and my ip address is 10 yeah that's the one there so and we'll just change the uh we'll just change the ip sorry let me just go take a step back and we can then modify the ip here and we can then upload it again so we'll just call this move shell to you know just and we'll just call it html and then netcat nvlp1234 okay we'll just upload that one as well so user.html and hit submit and that's worked as well so we can say dhtml for the answer here that is correct all right so this is essentially involves setting up the reverse shield which we just did and we can complete that and then i think all we need to do is access internal uploads let's try and access that now um uploads and we have the both the shells that we uploaded so we'll just say user and we get a reverse shell and uh it looks like a simple uh shell session here and um uh the current user that we're logged in as is developed up data and if we enumerate the users on the system so cat etsy password we can see we have root the root user we also have uh another user called bill so let's try and access the user the home directory for the user bill and cat user.txt right i'm guessing that was the actual question here so what is the name of the user manages the web server i think that's bill let's try bill it might yeah that's correct it might have also been www.data and then we need to paste in the flag there all right so we'll copy that and we'll put in the flag and sorry don't need a hint hit submit and that is correct so i think we've completed the initial exploitation phase the next step involves uh performing or locating suid binary so again seo privilege escalation through su id binaries are quite common especially in ctfs and you might also run into them in the wild especially you know where you have administrators who create them to do something or to you know to actually complete or perform a certain task so an suid binary is a special type of file permission given to a file suid gives temporary permissions to a user to run a program or file with with the permission of the file owner so what this means in the context of privilege escalation this is a binary could be any binary it could also be a system binary that has the suid permission and what this means is that this binary can be used by any other use on the system and can be run with the the permission of the owner so that means that uh if if su id has been set for a binary by the root user any user can use that binary to run commands as root so that essentially is what it means so for example the binary file to change your password has the suid bit set onto it this is because to change your password you will need to write to the shadows file so that's just an example it also it also gives you an image that explains the s u i d uh the uid permission here all right so uh on the system search for all suid files what file stands out all right so there's there's plenty of ways you can actually search for suid files uh one of the simplest ways just to specify the user that that actually owns the binary so i'll just do it with you right now so we can say for example find within the root of of the of the file system and then we specify the use option which is going to be root and then we specify the permissions so 4000 and then we specify uh you know print and then that is 2 that is output into dev null hit enter let's see if we can find any suid binaries here it doesn't actually tell us how to find them which is interesting so we can actually check their their method all right so from the actual command i was able to identify the following binaries that have you know suid permissions set on to them and in in this particular case you can see we have the password one which is quite standard and you know we can say for example password root but i don't think this will work so again it tells us you may not view or modify the password information for root uh the one that looks really interesting to me is system control so system control is the init a system used on most modern linux distributions and what that means is we can essentially create our own service that can execute arbitrary commands as a particular user because it's not common that the system controlled binary has suid permission so we can essentially run a particular command as root and in this particular case what we can do is we can spawn a reverse shell that will connect back to our netcat listener now the first thing we need to do is firstly verify that that is control that is correct so uh system ctl let's see if that is correct uh yes that is correct all right so it's challenge time we've guided you through this far you're able to exploit the system further to elevate your privileges and get the final answer uh become root and get the last flag under root and root.txt all right so what we'll do is we will use system control um to actually um to to to so we will actually create our own service linux service and then we'll use system control to enable it and start it right so the way we'll do this is we'll move into the temp directory and i'll just open up a new session here right and i'll just move into my triacmi folder under von versity and we'll just say root.service all right and in order to create a system d service it really is very simple we specify the unit option first and we we can then provide a description so we can say description um we can just say root right that's just exactly what it's doing and then for the service the service specification itself we need to specify the type which in this case is going to be simple and then we need to specify the user this is very important that's going to be root and then we need we can then execute the command in this case uh what we'll do is we'll use bash so i hope bash works others you'll have to use a standard shell session and then bash is going to execute the following command so i'm just going to quickly google search for bash reverse shell because i want to make sure that i get the syntax correct here tcp so this is it right over here so we need to copy that and then i need my ip address ipas and we can then go back into vim and then we say i can paste that in there so bash1 and then our ip address is going to be 10 6 52 119 all right so 10 6 52 119 10 6 52 119 119 and then for the port we'll just use 42 42 actually just four four four four and that is what is going to be executed right so uh that looks correct and then finally we just say we specify the install options uh and then we say wanted by and this is multi-user so we say multi uh user dot target so let's just go through this again i just want to make sure that everything is correct uh multi-user target that is set correctly uh the actual execution of our reverse shell looks like it's correct and yeah so that looks good so now we have the service so it's root dot service and then of course let me just copy my p here because i don't want to remember this actually quite difficult to remember i will go back into our netcat session i'll just say well what i want to do now is i actually want to serve this file so we'll use sudo python simple http server on port 80 right and we'll then serve this particular file and we can then get it so http paste in the ip and this is root.service right and we get root.service that is done and then we just say netcat nvlp4444 let's set up the listener there and then we go back to our initial terminal here and we then say systemctl enable root.service uh we need to specify the directory should i have done this within the temp directory anyway we can just test it out so tmp root dot root.service all right so that worked out and then we say systemctl and then start and then root all right and we can check our netcat session and we get a reverse shell there so that worked out well and we're currently as the root user so we can go into root and we then uh cut the contents of root.txt and we get the actual flag and let's confirm that that is the flag and we'll paste that in there and hit submit and that is complete all right so yeah uh there we go so that was vulnerability on try hack me a really interesting box i like that they went for suid or privilege escalation through suid binaries it's really a legitimate way of elevating your privileges and it's really really common to find many uh binaries in in many cases system binaries like system control uh that have the suid permissions set to them or set on them so yeah interesting box i'll be continuing with try acme because there's a lot of requests uh for me to actually you know try out the various rooms in this on this platform so i'll be going through that if you have any questions or suggestions let me know in the comment section uh you can also join in the discussion for this particular video and others on our forum at forum.hackersplay.org and i'll be seeing you in the next video
Original Description
In this video, I will be taking you through the Vulnversity challenge on TryHackMe. We will go through the process of reconnaissance, web application exploitation, and Linux privilege escalation.
-----------------------------------------------------------------------------------
BLOG ►► https://bit.ly/3qjvSjK
FORUM ►► https://bit.ly/39r2kcY
ACADEMY ►► https://bit.ly/39CuORr
-----------------------------------------------------------------------------------
TWITTER ►► https://bit.ly/3sNKXfq
INSTAGRAM ►► https://bit.ly/3sP1Syh
LINKEDIN ►► https://bit.ly/360qwlN
PATREON ►► https://bit.ly/365iDLK
MERCHANDISE ►► https://bit.ly/3c2jDEn
-----------------------------------------------------------------------------------
CYBERTALK PODCAST ►► https://open.spotify.com/show/6j0RhRiofxkt39AskIpwP7
-----------------------------------------------------------------------------------
We hope you enjoyed the video and found value in the content. We value your feedback, If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms.
-----------------------------------------------------------------------------------
Thanks for watching!
Благодарю за просмотр!
Kiitos katsomisesta
Danke fürs Zuschauen!
感谢您观看
Merci d'avoir regardé
Obrigado por assistir
دیکھنے کے لیے شکریہ
देखने के लिए धन्यवाद
Grazie per la visione
Gracias por ver
شكرا للمشاهدة
-----------------------------------------------------------------------------------
#CTF#TryHackMe
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from HackerSploit · HackerSploit · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
Wireshark Tutorial for Beginners - Installation
HackerSploit
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
Wireshark Tutorial for Beginners - Capture options
HackerSploit
Wireshark Tutorial for Beginners - Filters
HackerSploit
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
Zenmap Tutorial For Beginners
HackerSploit
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
VPN And DNS For Beginners | Kali Linux
HackerSploit
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
Steganography Tutorial - Hide Messages In Images
HackerSploit
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
Best Linux Distributions For Penetration Testing
HackerSploit
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
Terminator - Kali Linux - Multiple Terminals
HackerSploit
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
Q&A #2 - Mr Robot?
HackerSploit
Metasploit Community Web GUI - Installation And Overview
HackerSploit
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
ARP Spoofing With arpspoof - MITM
HackerSploit
WordPress Vulnerability Scanning With WPScan
HackerSploit
Generating A PHP Backdoor with weevely
HackerSploit
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
MITM With Ettercap - ARP Poisoning
HackerSploit
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit
More on: Security Basics
View skill →Related Reads
🎓
Tutor Explanation
DeepCamp AI