THM Linux Shells

Introduction

This walkthrough covers the THM Clintons Private Server

CD

Starting off

The first thing we do is an Nmap scan

as you can see it has port 80 and 22 open

We then hit it with a ffuf

we are looking for other pages but it looks like there are not many common named dirs or page names.

we did notice on the main page there is a login page so I naviagte to it

I take a peak at the source code and see it looks at a php page

.admin/login.php

I try to look it up but for some reason it wont open for me

so lets just start guessing the password. I use

admin

as the user name

would you look at that! I am in but theres nothing to do, I guess it was a waste of time.

Looking at other pages.

So I take a look around at the other links and notice a private server settings

looking at the page there really isnt anything interesting in it

on to the next one is Deleted emails

which also proves to be useless

now we head to classified documents

looking at the page i notice some downloads so i start clicking

the first one is the Foreign emails, not noticing anything too good in there i go to the next

Password Management for Bill Clinton

boom look at that a password list for Bill Clinton the passwords look funny so i move to cyber Chef to see if they are what I think they are.

I was right they are base64, so lets decode them and put them in a txt file

so we are stuck now, have a password list but no user names. but lets think, how are users commonly named for usernames.

I start off with billclinton,bill,billc, and bclinton

I am using a custom python sshbrute force to give you an idea. there are many other ways to brute ssh

Ive left the passwords out so you can try for yourself

Task 4: We have access

we have access to the first user.txt

lets look around and see whats there

I do

ls -a

to see if theres anything hidden, of course there is

move to that secrect folder and lets see whats in it

so bill has a base64 decoding script interesting lets move on

while snooping around in the file system i see theres a private folder

is that base64? why yes lets figure out how to use that script

I coulnt guess who that password is for! lets move to that account and see

we get into hillary's account with another flag

lets see if we can get root.

lets priv esculate to root

I start up a simple http sever to move over linpeas

based off the peas results i can sudo vim lets try that to get root

We have root!!!!

Hope you liked the room, I am the one who actually made it.