Vulnversity
Learn about active recon, web app attacks and privilege escalation.
Link - https://tryhackme.com/room/vulnversity
Task 1 - Deploy the machine
Click the start button in the task to start the target machine. It will start and show the machine IP in a minute on the top banner.
Task 2- Reconnaissance
Initial Nmap Scan of the machine
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap 10.10.157.204
Starting Nmap 7.94 ( https://nmap.org ) at xxxxxx IST
Nmap scan report for 10.10.157.204
Host is up (0.18s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3128/tcp open squid-http
3333/tcp open dec-notes
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds
Nmap Version Scan
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap -sV 10.10.157.204
Starting Nmap 7.94 ( https://nmap.org ) at xxxxx IST
Nmap scan report for 10.10.157.204
Host is up (0.18s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.06 seconds
Q. There are many Nmap "cheatsheets" online that you can use too.
Click Question Done.
Q. Scan the box; how many ports are open?
6 - From the default nmap scan above, 6 ports are open
Q. What version of the squid proxy is running on the machine?
3.5.12 - from nmap scan with -sV
Q. How many ports will Nmap scan if the flag -p-400 was used?
400
Q. What is the most likely operating system this machine is running?
Ubuntu - in Service scan check SSH version details
Q. What port is the web server running on?
3333 - Check 'Apache' in nmap scan results
Q. What is the flag for enabling verbose mode using Nmap?
-v , check man page or info or help for nmap, -v for verbose, -V for version, vv for...
Task 3 Locating directories using Gobuster
Running Gobuster with dir mode on target
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ gobuster dir -u http://10.10.157.204:3333/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt --threads 200 -s 200,204,301,303,307,403 -b ""
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.157.204:3333/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
[+] Status codes: 200,204,301,303,307,403
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/07/23 08:33:39 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 322] [--> http://10.10.157.204:3333/images/]
/css (Status: 301) [Size: 319] [--> http://10.10.157.204:3333/css/]
/js (Status: 301) [Size: 318] [--> http://10.10.157.204:3333/js/]
/fonts (Status: 301) [Size: 321] [--> http://10.10.157.204:3333/fonts/]
/internal (Status: 301) [Size: 324] [--> http://10.10.157.204:3333/internal/]
Progress: 3928 / 81644 (4.81%)Q. What is the directory that has an upload form page?
/internal/
Task 4 Compromise the Webserver
Last updated
Was this helpful?