# All in One ![](/files/-McewcSZoq1LxWVCGLSU) ## Scanning Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.117.119 ``` ![](/files/-McexNWUsoD2g_ugmzWz) Detailed Nmap Scan : ``` nmap -sV -sC -p 21,22,80 -oN nmap 10.10.117.119 ``` ![](/files/-McexQDmnhOIftyzQnqn) ## Enumeration Lets look at FTP as `anonymous` login is allowed ![](/files/-Mcexl-cvQ2hzXDfyf3r) And there is nothing in the FTP server, lets look at the webserver ![](/files/-MceyW4WHKB0AzrUh9kE) Its an Apache2 default page, lets run `gobuster` to look for hidden directories. ![](/files/-McezL9oQksb3rEcmkqU) Lets check these directories out, first `/wordpress` ![](/files/-McezhfVNBnkrRN1RWbo) Its a wordpress site, we can explore this but first lets look at the other directory we found ![](/files/-Mcezx0H9CUnhPCGMPmn) There is nothing interesting, lets look at the source code, scrolling down we see something interesting ![](/files/-Mcf-OaSOezw6jvx_qdx) It looks like a cipher, lets crack it ![](/files/-Mcf-kH3vvadlh5PnfCH) Looks like a password, but we do not have a username to login through ssh. Lets go back to the wordpress site. We have username `elyana`, but the password is not the right one. Lets run `wpscan` to find information about this site. ![](/files/-Mcf1idt9BDLbrSf-lra) Looking through the output, we see 2 vulnerabilities ![](/files/-Mcf2-o8aHzut9a-ItXp) We have a LFI vulnerability and a Arbitrary File Upload vulnerability. Lets first login with the credentials we found. ![](/files/-McfA8UH1wJ509lbYlx8) Once logged in, we can go to Appearance > Theme Editor and replace the `404.php` file with a reverse shell and click update ![](/files/-McfAvdSoiYPHGvNybYd) Once we do that, we have to start a netcat listener. ![](/files/-McfB7DrB0MLukgFy2AL) Now we visit this URL to get the reverse shell. ![](/files/-McfBVBYTNaySXovVHn1) Lets stabilize the shell. ![](/files/-McfBsB8IYOuO8EXuOCE) Lets look at the files ![](/files/-McfCKM2QJnTbwQi7DOM) So the password for the user `Elyana` is hidden on the system. Lets find all the files that belong to the user elyana ![](/files/-McfClcsx0BHTtpetSSM) This is an interesting file, lets read it. ![](/files/-McfCrXtNLLD1yFSNHj1) We have the username and password, lets login through ssh ![](/files/-McfCzcFOevE8Bq1pza6) We can now read the user flag. ![](/files/-McfD63M1Gm_vU_z7dk0) Looks like it is encoded, lets decode it. ![](/files/-McfDOSS_8v3XTHeEQTR) ## Privilege Escalation Lets run `sudo -l` ![](/files/-McfDYeLWauFujQdWRsy) Looks like we can run `socat` as sudo, lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/socat/#sudo)and the get the command to privilege escalate to root. ![](/files/-McfDm420F7dF31_nhoM) ![](/files/-McfDoK1FkL-ecaw3Die) We are root. We can read the root flag ![](/files/-McfDxNT87OKFzik52kw) Lets decode this ![](/files/-McfE3eaD6dcnJnKzL29) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/all-in-one.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.