# TryHackMe-Bad Byte
## Rustscan
```java
rustscan -a 10.10.28.94 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.28.94:22
Open 10.10.28.94:30024
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9/A7kkuN5E+SS1C6w1NfeY196Rj4Y1Yx7njNCwNaCgIv8m+V+7MTHsRn3txLXRTHXErMqW3ypCmmjuY3O40kAragZSgA/XhdesGxGVa0szH
K7H4fB28uQiyZgkOfIt/12kGaHB3iGwOeex2Hdg6ct4FdxTWKgDvuKZSLVoPXG66R8SOHql2cXfUtzyUMNJTTqoUED69soEJVG2ctfPKXi4BfFqM3OK2HgKzbmcSPXlLUTNhlcvjPuTa0kMRqiNT
MVdP0PjSFdoaMviXHiznW7Fn6NHe3R/vIQt8Ac05Mdvim21QjRpJ4pm7v5+q1wXCJxGG6Ov71yThKP6yZ4ByMl
| 256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM9QUKykbzCSI7+PgoVzHNKOVIWf+zm0LN/f4n0VJc/P0J9TzLImkYHIOCnRFpNUPtiWGXbHXi
67FQxEpgZMReo=
| 256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrvf1zJBhqU1RxUCYuTgoIy+7NzCqZeFWV67bt8+APV
30024/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 1743 Mar 23 20:03 id_rsa
|_-rw-r--r-- 1 ftp ftp 78 Mar 23 20:09 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.94.60
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
```
We have two ports open , one is 22 (SSH) and the other one is 30024 (FTP)
## PORT 30024 (FTP)
From the `note.txt`
```
I always forget my password. Just let me store an ssh key here.
- errorcauser
```
So `errorcauser` might be a username and we have his `id_rsa` so we can now ssh into the machine
## PORT 22 (SSH)
As soon as we try to login with the private ,it's protected with a passphrase
So here we need `ssh2john` generate a hash for the key so we can crack it with `johntheripper` or `hashcat`
And we successfully cracked the hash and got the passphrase so now we should be able to login
We are logged in as `errorcauser` but we see another note which tells that there's a webserver running on local port
Since there is no `ss` or `nestat` installed we have create a socks proxy on localhost to see which ports are open in order to that we will login through ssh using this command
`ssh errorcauser@10.10.28.94 -i id_rsa -D 1337`
Also add socks5 proxy in `/etc/proxychains.conf`
Now run a TCP scan on localhost
So we can see two more ports 80 and 3306 , so let's scan port 80 what's running on it
Add proxy with `Foxyproxy` extension or you could manually add proxy setting
Using `wpscan` I enumerated the user
For some reason wpscan wasn't giving me plugins for wordpress so I decide to use nse (nmap scripting engine)
This is the scipt I used to enumerate plugins also to note supply arguemnts to scan upto 1500 results from wordpress plugins script
`proxychains nmap -sT -p 80 --script http-wordpress-enum --script-args search-limit=1500 127.
0.0.1`
So we have found these two plugins being used on wordpress and these both have exploits on `exploit-db`
### Duplicator (Arbitary File Read)
### Wp-File manager (RCE)
I don't like the meterpreter shell so and I can't get the bash through it so I decided to generate a payload that will give a me a reverse shell
Now the room tells that password was logged so by going to `/var/logs` I find `bash.log` belongs cth so we can read it
Here it gives us the old password , for the current password we can guess that since the year is 2021 so the password must be `G00dP@$sw0rd2021`
And we guessed it right , we can run any command as sudo
