🌺
tryhackme notes
  • 🌺TryHackMe Profile Link
  • Learning Paths
    • 🌺CompTIA PenTest+
      • 🍡Intro to Offensive Security
      • 🍡Penetration Testing Tools
        • 🍡Nmap
          • 🍡Nmap Switches
          • 🍡Overview
          • 🍡TCP Connect Scans
          • 🍡SYN Scans
          • 🍡UDP Scans
          • 🍡NULL, FIN, Xmas Scans
          • 🍡Working with the NSE
          • 🍡Practical
        • 🍡Burp Suite
          • 🍡Introduction
          • 🍡Site Map and Issue Definitions
        • 🍡Metasploit
          • 🍡Introduction
          • 🍡Working with Modules
        • 🍡Nessus
          • 🍡Introduction
          • 🍡Scanning!
          • 🍡Scanning a Web Application!
        • 🍡Hydra
          • 🍡Introduction
          • 🍡Using Hydra
      • 🍡Application-based Vulnerabilites
        • 🍡OWASP Top 10
          • 🍡[Severity 1] Command Injection
          • 🍡[Severity 2] Broken Authentication
          • 🍡[Severity 3] Sensitive Data Exposure
          • 🍡[Severity 4] XML External Entity
          • 🍡[Severity 5] Broken Access Control
          • 🍡[Severity 6] Security Misconfiguration
        • 🍡Vulnversity
      • 🍡Local-host Vulnerabilities
      • 🍡Network-based Vulnerabilites
    • 🌺Web Fundamentals
      • 🌺Introduction to Web Hacking
        • 🍡Walking an Application
      • 🌺Pickle Rick
  • Modules
    • 🌺Linux Fundamentals
      • 🍡Linux Fundamentals Part 1
        • 🍡Searching for Files
      • 🍡Linux Fundamentals Part 3
        • 🍡Processes 101
    • 🌺Introduction to Penetration Testing
      • 🍡Pentesting Fundamentals
        • 🍡Penetration Testing Methodologies
          • 🍡Black Box, White Box, Grey Box Penetration Testing
      • 🍡Principals of Security
        • 🍡The CIA Triad
        • 🍡Principles of Privilege
        • 🍡Security Models Continued
        • 🍡Threat Modelling & Incident Response
    • 🌺Introduction to Cyber Security
    • 🌺Pre Security
    • 🌺John the Ripper
  • Rooms
    • 🍡Basic Pentesting
    • 🍡OhSINT
    • 🌸Sakura Room
    • 😼dogcat
Powered by GitBook
On this page
  1. Learning Paths
  2. CompTIA PenTest+
  3. Application-based Vulnerabilites

Vulnversity

A box exploring the topics of active recon, web app attacks, and privilege escalation.

Previous[Severity 6] Security MisconfigurationNextLocal-host Vulnerabilities

Last updated 1 year ago

Reconnaissance

This room first tasks us with performing an nmap scan on the deployed box. Using the command, nmap -sV 10.10.38.68 from my Kali box, I can see that there are 6 open ports.

Some more information we can gather from this scan is that the box is running squid proxy version 3.5.12.

The command -p-400 will scan the first 400 ports.

To find the OS, I used the same command as before but added a -A switch which enables OS detection.

From the results, we can see that it its likely that the box is running Ubuntu Linux.

The web server is running on port 3333 as seen by the Apache service running on that port, and we can see that the http-title is Vuln University.

To enable verbose mode on nmap, we can use the -V switch.

Gobuster

We can use gobuster to quickly enumerate the hidden directories on a web server using brute force.

Using the "subdomains.lst" wordlist, I was able to use the command "gobuster dir -u http://10.10.38.68:3333 -w Desktop/wordlists/amass/subdomains.lst" and find 4 different subdomains hosted.

The 4 subdomains found in the results were /css, /images, /internal, /js. From looking at the domains hosted, we can see that /internal/ is the page with an upload page.

Compromising the Web Server

The file type blocked by the website is .php, .phtml is not blocked. This means we can use .phtml to start the payload.

🌺
🍡
🍡
nmap -sV 10.10.38.68
-sV 10.10.38.68 -A
gobuster dir -u http://10.10.38.68:3333 -w Desktop/wordlists/amass/subdomains.lst