KoTH Hackers
Last updated
Last updated
mkdir ~/Documents/TryHackMe/koth
cd ~/Documents/TryHackMe/koth
mkdir recon enumeration notes
touch notes/{README.md,creds,vulns}
export IP=10.10.157.94
export URL=http://$IPUpon obtaining an IP address, my initial step involves conducting a comprehensive scan of the targeted machine for open ports, employing both rustscan and nmap.
Access the ftp server with default user and you will see two files (remember always to use -a when you listing because you might lose some info).
Found 2 users. After I try to enumerate the HTTP port I got nothing so I try to come back to ftp user. Brute force the login password for each user and you will get the passwords for both. Keep in mind that the password are changed every time you deploy the machine, so you need to do this on your own.
hydra -l "username" -P ~/Documents/rockyou.txt $IP ftp In the ftp server you will get two more flags and some info to get access to this machine. Try to login as rccambell user to ssh port with same password as ftp and we have success. When you get the password for the other user you can login and in home directory you will get an id_rsa key to connect with ssh.
I found a vulnerability when I get access to gcrawford user.
Find on Gtfobins how to use that to get root access.
sudo /bin/nano /home/gcrawfor/businness.txt
^R ^X
reset; sh 1>&0 2>&0I don't find all the nine flags, but once you have root access you can search for those.
