Empline — TryHackMe — WriteUp

Enumeration

Let’s start with NMAP scan.

  • SSH [22]

OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

No possible Exploit for this.

  • HTTP [80]
http://job.empline.thm/careers

Edit the /etc/hosts and add this sub domain.

  • MySQL

No Exploit or default or Weak passwords.

More Enumeration

  • Let’s see the job.empline.thm

Searched in google, and found a blog which gives an XXE.

Link: https://doddsecurity.com/312/xml-external-entity-injection-xxe-in-opencats-applicant-tracking-system/

by following the same process, i got the credentials from config.php

Let’s use the credentials to login to MySQL.

let’s crack the md5 hash of george with john. Use the same creds with SSH to login as george.

You can find the user.txt in george home folder.

Privilege Escalation

From the linpeas output i found a misconfig,

let’s exploit it.