๐งโ๐Vulnversity
Learn about active recon, web app attacks and privilege escalation.
Room Attributes | Value |
---|---|
Subscription Required | False [Free] |
Type | Walkthrough |
Difficulty | Easy |
Tags | Recon, PrivEsc, WebAppSec, Video |
Task 1 - Deploy the machine
Deploy the machine
No answer needed
Task 2 - Reconnaissance
There are many nmap "cheatsheets" online that you can use too.
No answer needed
Scan the box, how many ports are open?
What version of the squid proxy is running on the machine?
How many ports will nmap scan if the flag -p-400 was used?
Using the nmap flag -n what will it not resolve?
HINT: IP to hostname
What is the most likely operating system this machine is running?
HINT: Run nmap with the -O flag
What port is the web server running on?
Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don't forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)
No answer needed
Task 3 - Locating directories using GoBuster
Now lets run GoBuster with a wordlist: gobuster dir -u http://<ip>:3333 -w <word list location>
No answer needed
What is the directory that has an upload form page?
Task 4 - Compromise the webserver
Try upload a few file types to the server, what common extension seems to be blocked?
To identify which extensions are not blocked, we're going to fuzz the upload form. To do this, we're going to use BurpSuite. If you are unsure to what BurpSuite is, or how to set it up please complete our BurpSuite room first.
No answer needed
Run this attack, what extension is allowed?
Upload your shell and navigate to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml. You should see a connection on your netcat session
No answer needed
What is the name of the user who manages the webserver?
What is the user flag?
HINT: The contents of the file /home/bill/user.txt
Task 5 - Privilege Escalation
On the system, search for all SUID files. What file stands out?
HINT: Use the command: find / -user root -perm -4000 -exec ls -ldb {} ;
Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer? Become root and get the last flag (/root/root.txt)
HINT: /bin/systemctl
Find a directory that www-data can write to:
Create a root.service
file on your attack machine:
Get the target to listen for a connection to receive and write the root.service
file to /tmp:
Send the file from your attack machine to the target:
Then start a new listener to capture the root reverse shell:
Execute the payload:
Catch the root reverse shell on your attack machine:
Read the root flag:
Last updated