Jack – TryHackMe
https://tryhackme.com/room/jack
Summary
- exploit Wordpress web server
- gain user shell
- use Python to escalate to root
Tools Used
nmap
,wpscan
,python
,pspy
https://tryhackme.com/room/jack
nmap
, wpscan
, python
, pspy
Link: https://tryhackme.com/room/25daysofchristmas
Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas
/etc/shadow
without needeing /etc/passwd
.grep -Ril "text"
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
find / -name *.bak 2>/dev/null
find
are running as another user you can usually use exec
to execute something with that binary e.g.:find /home/igor -name flag1.txt -exec cat /home/igor/flag1.txt \;
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
struts2_content_type_ognl
exploit via MSF and configure hosts, ports, and path (path = “”).nmap -A $IP -oA <filename>
ftp
to login and retrieve file and credentials.showmount -e $IP
to check if NFS is present and directory path.cd /tmp && mkdir thm-nfs-11
sudo mount $IP:/opt/files thm-nfs-11
mycli
to connect to the msql database.mycli -h $IP -P 3306 -u root
show databases
use data
show tables
SELECT * FROM 'USERS'
1) md5sum
2) gpg --decrypt note1.txt.gpg
with supplied passphrase
3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key
3b) Then use openssl rsautl -decrypt -inkey test.key -in note2_encrypted.txt -out note2_decrypted.txt
to obtain decrypted note.
bucketname.s3.amazonaws.com
or bucketname.region-name.amazonaws.com
bucketname.region-name.amazonaws.com/file-name
/
using %2F
.http://host/get-file/%2fetc%2fpasswd