Vulnversity

Learn about active recon, web app attacks and privilege escalation.

Link - https://tryhackme.com/room/vulnversity

Task 1 - Deploy the machine

Click the start button in the task to start the target machine. It will start and show the machine IP in a minute on the top banner.

Task 2- Reconnaissance

Initial Nmap Scan of the machine

┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap 10.10.157.204
Starting Nmap 7.94 ( https://nmap.org ) at xxxxxx IST
Nmap scan report for 10.10.157.204
Host is up (0.18s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3333/tcp open  dec-notes

Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds

Nmap Version Scan

┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap -sV 10.10.157.204
Starting Nmap 7.94 ( https://nmap.org ) at xxxxx IST
Nmap scan report for 10.10.157.204
Host is up (0.18s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.06 seconds

Q. There are many Nmap "cheatsheets" online that you can use too.

Click Question Done.

Q. Scan the box; how many ports are open?

6 - From the default nmap scan above, 6 ports are open

Q. What version of the squid proxy is running on the machine?

3.5.12 - from nmap scan with -sV

Q. How many ports will Nmap scan if the flag -p-400 was used?

400

Q. What is the most likely operating system this machine is running?

Ubuntu - in Service scan check SSH version details

Q. What port is the web server running on?

3333 - Check 'Apache' in nmap scan results

Q. What is the flag for enabling verbose mode using Nmap?

-v , check man page or info or help for nmap, -v for verbose, -V for version, vv for...

Task 3 Locating directories using Gobuster

Running Gobuster with dir mode on target

                                                                               
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ gobuster dir -u http://10.10.157.204:3333/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt --threads 200 -s 200,204,301,303,307,403 -b ""
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:            http://10.10.157.204:3333/
[+] Method:         GET
[+] Threads:        200
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
[+] Status codes:   200,204,301,303,307,403
[+] User Agent:     gobuster/3.5
[+] Timeout:        10s
===============================================================
2023/07/23 08:33:39 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 322] [--> http://10.10.157.204:3333/images/]
/css                  (Status: 301) [Size: 319] [--> http://10.10.157.204:3333/css/]
/js                   (Status: 301) [Size: 318] [--> http://10.10.157.204:3333/js/]
/fonts                (Status: 301) [Size: 321] [--> http://10.10.157.204:3333/fonts/]
/internal             (Status: 301) [Size: 324] [--> http://10.10.157.204:3333/internal/]
Progress: 3928 / 81644 (4.81%)

Q. What is the directory that has an upload form page?

/internal/

Task 4 Compromise the Webserver

PreviousTryHackMe

Last updated 2 years ago

hashtagTask 1 - Deploy the machine

hashtagTask 2- Reconnaissance

hashtagQ. There are many Nmap "cheatsheets" online that you can use too.

hashtagQ. Scan the box; how many ports are open?

hashtagQ. What version of the squid proxy is running on the machine?

hashtagQ. How many ports will Nmap scan if the flag -p-400 was used?

hashtagQ. What is the most likely operating system this machine is running?

hashtagQ. What port is the web server running on?

hashtagQ. What is the flag for enabling verbose mode using Nmap?

hashtagTask 3 Locating directories using Gobuster

hashtagQ. What is the directory that has an upload form page?

hashtagTask 4 Compromise the Webserver