# TryHackMe-0day
## NMAP
```
Nmap scan report for 10.10.44.55
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
| 2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
| 256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_ 256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0day
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.55 seconds
```
## PORT 80
## Feroxbuster
For directory fuzzing I used `feroxbuster`
The `backup` directory has private key
But we don't have a valid username to connect with SSH.
## Nikto
Alternativley we could have done this with `gobuster` or with `wfuzz`
With wfuzz
This told us that there is a test.cgi which we can access and there is an exploit for it which is called `shellshock` vulnerability for cgi-bin.
Now I launched a shell in meterpreter session through `shell` then stabilized it with python.Got the user flag now only thing left to do is privilege escalation
## Privilege Escalation
If he search an exploit for this version we will get this on exploit-db
Have the exploit on your local machine and tranfer it to target through netcat or python web server
And we got root !!!