TryHackMe-0day

NMAP

Nmap scan report for 10.10.44.55                                                                                      
Host is up (0.41s latency).                                                                                           
Not shown: 998 closed ports                                                                                           
PORT   STATE SERVICE VERSION                                                                                          
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)                                                       
|   2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
|   256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_  256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0day
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.55 seconds

PORT 80

Feroxbuster

For directory fuzzing I used feroxbuster

The backup directory has private key

But we don't have a valid username to connect with SSH.

Nikto

Alternativley we could have done this with gobuster or with wfuzz

With wfuzz

This told us that there is a test.cgi which we can access and there is an exploit for it which is called shellshock vulnerability for cgi-bin.

Now I launched a shell in meterpreter session through shell then stabilized it with python.Got the user flag now only thing left to do is privilege escalation

Privilege Escalation

If he search an exploit for this version we will get this on exploit-db

Have the exploit on your local machine and tranfer it to target through netcat or python web server

And we got root !!!

2.6 KiB Raw Blame History