0day: Tryhackme

0day is ubuntu based machine from tryhackme.

You can find the challenge here.

Enumeration:

Starting with nmap:

Port 80 is open.Lets check that.

Lets do some directory busting and see if we can find anything.

Enumerating found directories.I found some interesting stuff on /backup.Looks like ssh keys.

I tried to find the username for those ssh keys,but failed.So moving on.Since its running a web server on port 80.Nikto will be good for checking web vulnerabilities.

Starting Nikto scan.

Interesting it says site is vulnerable to shellshock vulnerability.On some google search I found there is some metasploit module which we can use.

Exploitation:

So firing up Metasploit and searching for shellshock.

Using 5 offcourse for apache.

Setting parameters

Last part was tricky.You can find the cgi script path from that nikto scan result.Ok lets run this bad boy.

And we have meterpreter shell.

Lets grab that user flag.

Next part.

Privilege Escalation:

Lets load linpeas and check for privilege escalation.

And run the linpeas

Interesting,kernel version.I found exploit for this kernel version.Lets download and export this c file to target.

Lets compile and run it.And boom we have root.

You can grab the root flag.

Thanks!