Hello everyone welcome in another penetration testing writeup, this time I’m rooting a box on Tryhackme.com platform

The first phase of any Penetration testing engagements is information gathering and enumeration, where we gather as much info as possible.

Information Gathering:

Using nmap we can scan for open ports and vulnerable services as follows:

Initial Nmap Scan.

Using nmap I could figure out some open ports listed as follows:

80 — HTTP

139 — netbios-ssn

445 — netbios-ssn

22 — SSH

next I use nmap to scan these ports for vulnerabilities :

Initial Vulnerability Scanning.

here this is the results of the initial vulnerability scan.

Next I scan the target for Enumeration purposes and further gathering information:

Enumeration using gobuster.

From this scan I found two web directories :

/css

/cloud

after checking the cloud web directory I can find that I can upload images to the server using the dashboard!

I tried to upload it as follows:

using python I could host a small server that hosts the web reverse shell that I want to upload, while I was uploading I noticed that the dashboard accepts images and not protected from extension manipulation, which can come handy for us while trying.

Found the web directory that allows us to upload files.

and from there I got a shell.

lets first optimize our shell using tty:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

from looking around the box, I found that there is a user called sysadmin, we can try to crack his password using hydra.

we can crack the SSH password using this user :

after looking around, I found a KeePass database file which I’ll crack with john next >>>

First we have to echo the hash of the dataset into a text file:

Got the initial foothold on the machine.

Found an interesting file “Keepass2 dataset database file”

Getting the database file ready for cracking the hash algorithm with john the ripper tool.

next we use john the ripper to crack the password >>>

Crack initiated.

next we install Keepass2 and enter the password we just cracked using john, from there we get the sysadmin password:

lets login now via SSH :

sysadmin

next for privilege escalation I do the following :

Step one : Create a php reverse shell using pentest monkey template.

Step Two : host it on a python server on my box.

Step Three: transfer it to the target machine.

Step Four: copy it and rename it to the backup.inc.php file which will be initiated from the script.php file as an automated cron job.

Finally: profit.

Gained root.