# Vulnversity **Reconnaissance** This room first tasks us with performing an nmap scan on the deployed box. Using the command, nmap -sV 10.10.38.68 from my Kali box, I can see that there are 6 open ports.

Some more information we can gather from this scan is that the box is running squid proxy version 3.5.12. The command -p-400 will scan the first 400 ports. To find the OS, I used the same command as before but added a -A switch which enables OS detection.

From the results, we can see that it its likely that the box is running Ubuntu Linux. The web server is running on port 3333 as seen by the Apache service running on that port, and we can see that the http-title is Vuln University. To enable verbose mode on nmap, we can use the -V switch. **Gobuster** We can use gobuster to quickly enumerate the hidden directories on a web server using brute force. Using the "subdomains.lst" wordlist, I was able to use the command "gobuster dir -u -w Desktop/wordlists/amass/subdomains.lst" and find 4 different subdomains hosted.

gobuster dir -u http://10.10.38.68:3333 -w Desktop/wordlists/amass/subdomains.lst

The 4 subdomains found in the results were /css, /images, /internal, /js. From looking at the domains hosted, we can see that /internal/ is the page with an upload page. **Compromising the Web Server** The file type blocked by the website is .php, .phtml is not blocked. This means we can use .phtml to start the payload.