Hey everyone I hope you are doing good , I am back again doing some TryHackMe rooms and I will be showing you how I solved the Badbyte room which is a good room that will teach you some things if you are a beginner but keep in mind before viewing the walk through make sure to try it on your own because this will have some spoilers so with that being said let’s jump in.
Rustscan
rustscan -a 10.10.28.94 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com [~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.28.94:22
Open 10.10.28.94:30024 PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9/A7kkuN5E+SS1C6w1NfeY196Rj4Y1Yx7njNCwNaCgIv8m+V+7MTHsRn3txLXRTHXErMqW3ypCmmjuY3O40kAragZSgA/XhdesGxGVa0szH
K7H4fB28uQiyZgkOfIt/12kGaHB3iGwOeex2Hdg6ct4FdxTWKgDvuKZSLVoPXG66R8SOHql2cXfUtzyUMNJTTqoUED69soEJVG2ctfPKXi4BfFqM3OK2HgKzbmcSPXlLUTNhlcvjPuTa0kMRqiNT
MVdP0PjSFdoaMviXHiznW7Fn6NHe3R/vIQt8Ac05Mdvim21QjRpJ4pm7v5+q1wXCJxGG6Ov71yThKP6yZ4ByMl
| 256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM9QUKykbzCSI7+PgoVzHNKOVIWf+zm0LN/f4n0VJc/P0J9TzLImkYHIOCnRFpNUPtiWGXbHXi
67FQxEpgZMReo=
| 256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrvf1zJBhqU1RxUCYuTgoIy+7NzCqZeFWV67bt8+APV
30024/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 1743 Mar 23 20:03 id_rsa
|_-rw-r--r-- 1 ftp ftp 78 Mar 23 20:09 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.94.60
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
We have two ports open , one is 22 (SSH) and the other one is 30024 (FTP)
PORT 30024 (FTP)
From the note.txt
I always forget my password. Just let me store an ssh key here.
- errorcauserSo errorcauser might be a username and we have his id_rsa so we can now ssh into the machine
PORT 22 (SSH)
As soon as we try to login with the private ,it’s protected with a passphrase
So here we need ssh2john generate a hash for the key so we can crack it with johntheripper or hashcat
And we successfully cracked the hash and got the passphrase so now we should be able to login
We are logged in as errorcauser but we see another note which tells that there's a webserver running on local port
Since there is no ss or nestat installed we have create a socks proxy on localhost to see which ports are open in order to that we will login through ssh using this command
ssh errorcauser@10.10.28.94 -i id_rsa -D 1337
Also add socks5 proxy in /etc/proxychains.conf
Now run a TCP scan on localhost
So we can see two more ports 80 and 3306 , so let’s scan port 80 what’s running on it
Add proxy with Foxyproxy extension or you could manually add proxy setting
Using wpscan I enumerated the user
For some reason wpscan wasn’t giving me plugins for wordpress so I decide to use nse (nmap scripting engine)
This is the scipt I used to enumerate plugins also to note supply arguemnts to scan upto 1500 results from wordpress plugins script
proxychains nmap -sT -p 80 --script http-wordpress-enum --script-args search-limit=1500 127. 0.0.1
So we have found these two plugins being used on wordpress and these both have exploits on exploit-db
Duplicator (Arbitary File Read)
Wp-File manager (RCE)
I don’t like the meterpreter shell so and I can’t get the bash through it so I decided to generate a payload that will give a me a reverse shell
Now the room tells that password was logged so by going to /var/logs I find bash.log belongs cth so we can read it
Here it gives us the old password , for the current password we can guess that since the year is 2021 so the password must be G00dP@$sw0rd2021
And we guessed it right , we can run any command as sudo
