From fd4447a0b6c8e069d38178efadc77d58bde0fb2b Mon Sep 17 00:00:00 2001
From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Thu, 10 Dec 2020 03:33:48 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/All_In_One.md | 118 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 118 insertions(+)
create mode 100644 TryHackMe/All_In_One.md
diff --git a/TryHackMe/All_In_One.md b/TryHackMe/All_In_One.md
new file mode 100644
index 0000000..aa35e73
--- /dev/null
+++ b/TryHackMe/All_In_One.md
@@ -0,0 +1,118 @@
+# TryHackMe-All In One
+
+## NMAP
+
+```
+Nmap scan report for 10.10.6.115 [3/26]
+Host is up (0.45s latency).
+Not shown: 997 closed ports
+PORT STATE SERVICE VERSION
+21/tcp open ftp vsftpd 3.0.3
+|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
+| ftp-syst:
+| STAT:
+| FTP server status:
+| Connected to ::ffff:10.2.54.209
+| Logged in as ftp
+| TYPE: ASCII
+| No session bandwidth limit
+| Session timeout in seconds is 300
+| Control connection is plain text
+| Data connections will be plain text
+| At session startup, client count was 2
+| vsFTPd 3.0.3 - secure, fast, stable
+|_End of status
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)
+| 256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)
+|_ 256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)
+80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 48.55 seconds
+
+```
+
+## PORT 21 (FTP)
+
+
+
+There wasn't anythin on ftp so this was a rabbit hole
+
+## PORT 80
+
+Visting the web page we don't find that much than a default apache web page
+
+
+
+Now on ruuning `gobuster` we can find a directory `wordpress` and `hackathons`
+
+
+
+
+
+On ruuning `wpscan` for finding any users
+
+
+
+We find `elyana` as a registered user on `wordpress`
+
+
+
+For finiding the plugins that this wordpress is using
+
+
+
+
+
+`mail-masta` and `reflex-gallery` are the two plugins that this wordpress is using
+
+That's all we can find on the `wordpress` directory let's see if there is anything on `hackathons`
+
+
+
+Looking at the source code
+
+
+
+We find some ecnrypted text and after trying different encryption techniques we found that this a `vigenere encoded text`
+
+
+
+
+
+We logged in with the password `H@ckme@123` removing `Try` from it ( :
+
+Now we can edit the 404 page on theme `Twenty Twenty`
+
+
+
+Pasting a php reverse shell from pentestmonkey
+
+
+
+Then setup a netcat listener
+
+
+
+Running a `find` command to look for files for user `elyana`
+
+
+
+
+
+Here elyana is in groups `sudo` and `lxd` , so lxd may have privilege escalation technique
+
+Checking for `sudo -l`
+
+We 'll find that we can run `socat` as root
+
+
+
+
+
+
+