# Poster

![](/files/-McWPpEdFrjT3HOP3ayk)

![](/files/-McWPlv1X6SOiPqdaI2Q)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.65.15
```

![](/files/-McWQKpylUvP49f1levY)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 22,80,5432
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 22,80,5432 -oN nmap 10.10.65.15
```

![](/files/-McWQxuFt0YTOPXOI7Ny)

![](/files/-McWR4aafXlwP7ELQMkb)

## Enumeration

We are told to go to Metasploit and look for a auxiliary module that allows us to enumerate user credentials, so lets do that.

Lets start `Metasploit`

```
msfconsole
```

![](/files/-McWRRG2egZ9ELa82ftQ)

Now lets look for the module

![](/files/-McWSXT5nfvKtxZsP5RD)

Its the 4th one, so lets select it and set the options

![](/files/-McWSmRRTUzCtPdfSyuQ)

Lets now run the enumeration tool

![](/files/-McWSuSeCaSb1e72p6bw)

We have the username and password.

Lets answer the next 2 questions as we have the answers

![](/files/-McWTMh54j9yV0bOlUB6)

Now we have to find the module that will allow us to execute command with the credentials we just found.

![](/files/-McWUIt_TdcUXZyaE0K7)

It is number 6, lets select it and set the options

![](/files/-McWVeB0y_LQnlfGqCj0)

Lets run it.

![](/files/-McWVk1FF5IyjWzLl6k6)

We have the Version, we can answer the next two questions

![](/files/-McWW-ZfI0oJ-GEpxTE5)

Next we have to find the module that will dump user hashes

![](/files/-McWWBL8kQdyXHaxwoo0)

This time it is number 8, so lets select it and set the options

![](/files/-McWUYo95NKvX4l_LjWK)

Lets run it.

![](/files/-McWUdpUt2Y6JhQcI_GD)

We have 6 usernames and their passwords which have been hashed. We can answer the next two questions

![](/files/-McWWXASTEA8dVPeeURL)

Next we have to find the module that will allow an authenticated user to view files of their choosing.

![](/files/-McWWcUmLAlsadEeu9uS)

This time it is number 5, lets select it, set the options and run it.

![](/files/-McWXG2bdPlda_v9sRE4)

![](/files/-McWXKibqhxz18_bk4hV)

![](/files/-McWXOHEGeprAB6UeIMc)

Now , we have to look for the module that allows arbitrary command execution.&#x20;

![](/files/-McWXo2BeeUQa10YEZTu)

It is number 2, lets select it and set the options, we can also answer the next two questions

![](/files/-McWZjkwkEdzufYz8YS9)

![](/files/-McWY9WRexZdVfhYgjMn)

Lets run it

![](/files/-McWYHezIpCEW2o7C4Sy)

Looking back at the usernames and credentials we found, we can try to cd into one of the users directory and list the files

![](/files/-McW_7R2SAYRHUYi4qb4)

This file looks interesting, lets read it.

![](/files/-McW_ElRUM4KZGF-v8jf)

We have the password, lets ssh into the machine.

![](/files/-McW_Un7ngTpL2RUu1fD)

## Privilege Escalation

We cannot read the user flag and did not have sudo permissions, so lets run `LinEnum.sh` on the machine to look for interesting files.  First we have to start a http server and download the file on the victim machine.

![](/files/-McWcN-W2ysqQhrHMhOI)

You can stabilize the shell with this command

```
python3 -c 'import pty; pty.spawn("/bin/bash")'
```

Now lets download the file, make sure you are in the tmp folder as other folders do not give permissions to download files.

![](/files/-McWctLySLCkAScSEdgR)

Lets make the script an executable

![](/files/-McWd-aeakfBgoDN80-J)

Now lets run it.&#x20;

```
./LinEnum.sh
```

Long story short, I found nothing and I even tried Linpeas but found nothing interesting, maybe I am not looking at the right thing lol, anyways so I remembered there was a web server running on the machine, so I went to `/var/www/html` to look for clues and found this interesting file.

![](/files/-McWecf9MicydqheKQzm)

Lets read it.

![](/files/-McWejDLcKKJBK8hBWnY)

We have the password for the user `Alison`, lets switch users.

![](/files/-McWetIh-l137XoDglFB)

We have `sudo` permission on this user, so lets see what we can run

![](/files/-McWf2ViXofA8wMkD_sY)

Looks like we can run all commands, so lets switch users to root

![](/files/-McWfFV-u_1vV4l8QpBq)

We can now read the user flag and the root flag.

![](/files/-McWfPng8INIK1k4VoAD)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/poster.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.