Well, let’s dive in Vulnversity. This is a TryHackMe VM made for real beginners like me.
1st part : Recon
This first part is very easy as long as you just need nmap to answer the questions. I don’t remember using internet or the man command as long as I’m pretty familiar with nmap.
An aggressive scan with the whole default scripts is way sufficient to answer most of the questions.
2nd part : Enumeration
On the guidelines, you will be asked to use gobuster which I personally don’t find useful here. I took dirb and the common wordlist and it worked like a charm.
2.2 part : Personal research
I took a look at possible interesting files in this webserver and I found a backup of what seems to be the website’s database.
3rd part : Compromising the server
I didn’t follow the BurpSuite VM THM are proposing before doing this part because I already used this tool in the past. On the second hand, I never used the Intruder before, which was kinda new for me tho.
I don’t know what to say about this part as long as it’s automated by BurpSuite. Moreover, I didn’t know that PHTML was a tru extension when I put it into my payload… But it works and that rocks !
The username isn’t hard to find as long as there is only one user. (During these times do like him, stay at /home 😉 ).
4th part : Privesc (Stands for privilege escalation)
Here, we aren’t guided which I found very interesting. After looking at the hint, I started looking at magic binaries : SUID binaries. Here we have an interesting one : SystemCTL which permits to launch, stop and restart some services on the machine.
I found a very good article on Medium which permitted me to unlock the root flag. I’ve uploaded all the necessary stuff on my GitHub.
Once we are root, it’s a piece of cake to take the flag ^^.
Vulnversity took me about an hour to be solved which I think is over the average but it helped me a lot understanding SUID binaries exploitation.
If you’re a beginner, you should have a look at The Cod Caper too !
Don’t hesitate to share this blog post if you found it useful and leave a comment if you have remarks or questions ✓.