This is the write-up for TryHackMe’s room named En-pass: Get what you can’t.This room can be found at this URL:
Enumeration
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.248.167
# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,8001 10.10.248.167
So we have SSH at port 22 and a Website at port 8001. First let’s explore the website.Open it up in your favorite browser and we see some images and some text printed on them.We can view all these text by doing view source on the web page:
Ehvw ri Oxfn!! is Caesar Cipher for Best of Luck with shift value of 3
U2FkCg== base64 for Sad
Well looked like we were trolled.
Gobuster
Time to do directory Brute Forcing. Let’s use gobuster:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt -u http://10.10.240.162:8001 -t 40
Explore /reg.php found above:
If we input something e.g. 1234 we see in the response back from the server contains the following php code:
