Introduction

This post is a walkthrough for the Vulnversity” challenge on TryHackMe, designed to practice basic web exploitation and privilege escalation techniques in a controlled environment. The tutorial focuses on web-based vulnerability exploitation, basic privilege escalation, and file upload bypass techniques. This challenge emphasizes the core methodology of recon, exploitation, and privilege escalation in penetration testing.

HackTheBox Certified Penetration Testing Specialist Study Notes

OSCP Study Notes

Web Hacking & Pentesting Study Notes

What is Penetration Testing

Penetration testing, or “pen testing,” is a security assessment process where cybersecurity professionals simulate real-world attacks on a computer system, network, or web application to identify vulnerabilities. The goal is to uncover and address security weaknesses before malicious hackers exploit them. Here’s an overview:

1. Purpose of Penetration Testing

  • Identify Vulnerabilities: Pinpoint weaknesses in an organization’s infrastructure, applications, and configurations.
  • Improve Security Posture: Offer insights for strengthening defenses and mitigating risks.
  • Compliance and Assurance: Many industries require regular pen tests to meet security compliance standards (e.g., PCI-DSS for payment systems).

2. Types of Penetration Testing

  • Network Penetration Testing: Targets network infrastructure, assessing firewall, router, and server security.
  • Web Application Penetration Testing: Focuses on web apps, testing for vulnerabilities like SQL injection, XSS (Cross-Site Scripting), and authentication weaknesses.
  • Social Engineering: Tests human factors by attempting to manipulate employees into revealing sensitive information.
  • Wireless Penetration Testing: Assesses the security of Wi-Fi networks, ensuring strong encryption and configuration.
  • Physical Penetration Testing: Evaluates physical security, such as entry points, ID checks, and access control mechanisms.

3. Stages of Penetration Testing

  • Planning and Reconnaissance: Define the scope and gather information (e.g., IP addresses, software details).
  • Scanning: Identify entry points by examining the target’s response to various inputs.
  • Gaining Access: Attempt to exploit vulnerabilities to gain unauthorized access.
  • Maintaining Access: Simulate advanced attacks to see how long access can be sustained.
  • Analysis and Reporting: Document findings, analyze results, and provide recommendations.

4. Penetration Testing Tools

  • Nmap: A tool for network discovery and security auditing.
  • Metasploit: A framework for developing and executing exploit code.
  • Burp Suite: A toolkit for web application security testing.
  • Wireshark: A network protocol analyzer for capturing and inspecting data packets.
  • OWASP ZAP: An open-source tool for finding vulnerabilities in web applications.

5. Importance of Penetration Testing

  • Proactive Security: Finds and fixes vulnerabilities proactively, reducing the risk of cyberattacks.
  • Protects Sensitive Data: Ensures that sensitive data remains secure by identifying risks before they can be exploited.
  • Continuous Improvement: Regular testing helps maintain a robust security posture as technologies and threats evolve.

6. Challenges in Penetration Testing

  • Scope Creep: Expanding beyond the initially defined scope, which can make results unfocused.
  • False Positives: Incorrectly identifying vulnerabilities that aren’t truly exploitable.
  • Resource-Intensive: Requires time, skilled personnel, and specialized tools, which can be costly for organizations.

Penetration Testing Methodology

Initial Nmap Scan:

  • An Nmap scan is used to identify open ports and services. Key open ports include:
    • FTP (21), SSH (22), Samba (139, 445),
    • Squid proxy (3128), and an HTTP server on port 3333 (Apache).
  • The scan provides version information, which is crucial for determining potential vulnerabilities.

Directory Enumeration:

  • Using Gobuster, directories on the web server are enumerated. The /internal directory is identified, containing an upload page—a potential entry point for uploading a reverse shell.

Reverse Shell Upload and Execution:

  • The upload page filters certain file types, so the reverse shell is renamed with a .phtml extension to bypass restrictions.
  • Once uploaded successfully, the shell is accessed through the /internal/uploads path, establishing a connection to the attacker’s machine.

Privilege Escalation:

  • After accessing the server as a low-privileged user, further enumeration identifies an exploitable SUID binary, systemctl.
  • Systemctl Exploit: By crafting a malicious service file, the systemctl command is leveraged to escalate privileges to the root user.

Retrieving Flags:

  • The root flag is located in the root user’s directory after privilege escalation, marking the final step of the challenge.

Room Answers | TryHackMe Basic Pentesting Walkthrough

There are many Nmap “cheatsheets” online that you can use too.

No answer needed

Scan the box; how many ports are open?

6

What version of the squid proxy is running on the machine?

3.5.12

How many ports will Nmap scan if the flag -p-400 was used?

400

What is the most likely operating system this machine is running?

Ubuntu

What port is the web server running on?

3333

It’s essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).

No answer needed
What is the flag for enabling verbose mode using Nmap?

-v

I have successfully configured Gobuster.

No answer needed

What is the directory that has an upload form page?

/internal/

What common file type you’d want to upload to exploit the server is blocked? Try a couple to find out.
.php

I understand the Burpsuite tool and its purpose during pentesting.

No answer needed

What extension is allowed after running the above exercise?

.phtml

While completing the above exercise, I have successfully downloaded the PHP reverse shell.

No answer needed

What is the name of the user who manages the webserver?

bill

What is the user flag?

8bd7992fbe8a6ad22a63361004cfcedb

On the system, search for all SUID files. Which file stands out?

/bin/systemctl

What is the root flag value?

a58ff8579f0a9270368d33a9966c7fd5


Video Walkthrough

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles