Introduction
This is my write-up for TryHackMe’s Poster Room
Enumeration
Using nmap, I saw that this box has several ports open.
Using metasploit, I was able to get both the database user and password.
Using the credentials found, I was able to get the database version, a dump of the database user hashes and more. Below is a screenshot of the database version:
Exploitation
Still using Metasploit, I used an exploit module to get a reverse shell.
Running the exploit module, I was able to get a shell and get credentials for 1 user.
Using the credentials found, I then used SSH to connect to the target. I then found a config file which contained credentials for the 2nd user.
Using this set of credentials, I then ran “su” as the second user. I was then able to see the contents of the user.txt file.
Privilege Escalation
It turns out, this 2nd user had SUDO privileges. I was then able to access root.txt using this.
