mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-28 06:30:29 +00:00
2.6 KiB
2.6 KiB
TryHackMe-0day
NMAP
Nmap scan report for 10.10.44.55
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
| 2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
| 256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_ 256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0day
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.55 seconds
PORT 80
Feroxbuster
For directory fuzzing I used feroxbuster
The backup
directory has private key
But we don't have a valid username to connect with SSH.
Nikto
Alternativley we could have done this with gobuster
or with wfuzz
With wfuzz
This told us that there is a test.cgi which we can access and there is an exploit for it which is called shellshock
vulnerability for cgi-bin.
Now I launched a shell in meterpreter session through shell
then stabilized it with python.Got the user flag now only thing left to do is privilege escalation
Privilege Escalation
If he search an exploit for this version we will get this on exploit-db
Have the exploit on your local machine and tranfer it to target through netcat or python web server
And we got root !!!