Vulnversity

Learn about active recon, web app attacks and privilege escalation.

PreviousTryHackMe

Last updated 1 year ago

Was this helpful?

Vulnversity

Learn about active recon, web app attacks and privilege escalation.

Link -

Task 1 - Deploy the machine

Click the start button in the task to start the target machine. It will start and show the machine IP in a minute on the top banner.

Task 2- Reconnaissance

Initial Scan of the machine

┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap 10.10.157.204
Starting Nmap 7.94 ( https://nmap.org ) at xxxxxx IST
Nmap scan report for 10.10.157.204
Host is up (0.18s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3333/tcp open  dec-notes

Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds

Nmap Version Scan

┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap -sV 10.10.157.204
Starting Nmap 7.94 ( https://nmap.org ) at xxxxx IST
Nmap scan report for 10.10.157.204
Host is up (0.18s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.06 seconds

Q. There are many Nmap "cheatsheets" online that you can use too.

Click Question Done.

Q. Scan the box; how many ports are open?

Q. What version of the squid proxy is running on the machine?

3.5.12 - from nmap scan with -sV

Q. How many ports will Nmap scan if the flag -p-400 was used?

400

Q. What is the most likely operating system this machine is running?

Ubuntu - in Service scan check SSH version details

Q. What port is the web server running on?

3333 - Check 'Apache' in nmap scan results

Q. What is the flag for enabling verbose mode using Nmap?

-v , check man page or info or help for nmap, -v for verbose, -V for version, vv for...

Task 3 Locating directories using Gobuster

Running Gobuster with dir mode on target

                                                                               
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ gobuster dir -u http://10.10.157.204:3333/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt --threads 200 -s 200,204,301,303,307,403 -b ""
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:            http://10.10.157.204:3333/
[+] Method:         GET
[+] Threads:        200
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
[+] Status codes:   200,204,301,303,307,403
[+] User Agent:     gobuster/3.5
[+] Timeout:        10s
===============================================================
2023/07/23 08:33:39 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 322] [--> http://10.10.157.204:3333/images/]
/css                  (Status: 301) [Size: 319] [--> http://10.10.157.204:3333/css/]
/js                   (Status: 301) [Size: 318] [--> http://10.10.157.204:3333/js/]
/fonts                (Status: 301) [Size: 321] [--> http://10.10.157.204:3333/fonts/]
/internal             (Status: 301) [Size: 324] [--> http://10.10.157.204:3333/internal/]
Progress: 3928 / 81644 (4.81%)

Q. What is the directory that has an upload form page?

/internal/

Task 4 Compromise the Webserver