Chill Hack

Room Link: https://tryhackme.com/room/chillhack

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

TCP/80 - HTTP

Kali

A lot of commands ran will result in this page.

Command Injection

Used this to find a way to bypass the filter. by adding a \ in the middle of the first command, it treats the command as a new line so it allows us to run any command we want.

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

Web

Kali

Victim

Victim

Victim(apaar)

Victim(apaar)

Pivot

Kali

Victim

Kali

proxychains.conf

Kali

I can now see the webpage from Kali but no login credentials to use.

Found credentials for mysql in one of the php files.

Victim(apaar)

Victim(apaar)

Victim(mysql)

Both set of credentials work on the login page, both bring up this page.

Used no password

Kali

Cracking Password Protected Zip Files

Kali

Kali

Kali

Victim(apaar)

Privilege Escalation

anurodh is apart of a docker group which the other user was not apart of, looking at gtfo bins theres a way to get a shell so I tried it and got root

Link: https://gtfobins.github.io/gtfobins/docker/#shell

Victim(anurodh)

PreviousToolsRusNextBolt

Last updated