Year Of The JellyFish #TryHackMe

Start your instance from try hack me

Do Nmap scan to get services running on the victim machine

```````````````````````````````````````````````````````````````
# Nmap 7.91 scan initiated Wed Apr 28 21:56:26 2021 as: nmap -sV -sC -p- -oN scan.txt 54.154.242.221
Nmap scan report for jellyfin.thm (54.195.9.23)
Host is up (0.17s latency).
rDNS record for 54.195.9.23: robyns-petshop.thm
Scanned at 2021-04-28 21:56:27 IDT for 908s
Not shown: 65529 filtered ports
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
80/tcp    open  http     Apache httpd 2.4.29
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://robyns-petshop.thm/
443/tcp   open  ssl/ssl  Apache httpd (SSL-only mode)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Robyn's Pet Shop
| ssl-cert: Subject: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB/localityName=Bristol/emailAddress=robyn@robyns-petshop.thm
| Subject Alternative Name: DNS:robyns-petshop.thm, DNS:monitorr.robyns-petshop.thm, DNS:beta.robyns-petshop.thm, DNS:dev.robyns-petshop.thm
| Issuer: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB/localityName=Bristol/emailAddress=robyn@robyns-petshop.thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-28T18:29:28
| Not valid after:  2022-04-28T18:29:28
| MD5:   584b 76a5 3569 d36f f785 2ff7 fa89 8c83
| SHA-1: 2cb8 37e0 ae69 966b d930 de6c d5e2 f50c e983 5be5
| -----BEGIN CERTIFICATE-----
| MIIEPzCCAyegAwIBAgIUWXO1aS2L/KanvvmTb8R77LqMblgwDQYJKoZIhvcNAQEL
| BQAwgZMxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb3V0aCBXZXN0MRAwDgYDVQQH
| DAdCcmlzdG9sMRcwFQYDVQQKDA5Sb2J5bnMgUGV0c2hvcDEbMBkGA1UEAwwScm9i
| eW5zLXBldHNob3AudGhtMScwJQYJKoZIhvcNAQkBFhhyb2J5bkByb2J5bnMtcGV0
| c2hvcC50aG0wHhcNMjEwNDI4MTgyOTI4WhcNMjIwNDI4MTgyOTI4WjCBkzELMAkG
| A1UEBhMCR0IxEzARBgNVBAgMClNvdXRoIFdlc3QxEDAOBgNVBAcMB0JyaXN0b2wx
| FzAVBgNVBAoMDlJvYnlucyBQZXRzaG9wMRswGQYDVQQDDBJyb2J5bnMtcGV0c2hv
| cC50aG0xJzAlBgkqhkiG9w0BCQEWGHJvYnluQHJvYnlucy1wZXRzaG9wLnRobTCC
| ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALV7F3xnhQUFDHKQMckD39mY
| cUABvfG0x3XrPbu5FCN8PYzZJsQuzmHvLUoSHA4LGVexL/+q1Sfnrh8FPAd0X+e6
| 97mwbuNeTTromqKll+vAO03yo1MX/gbn/B/OeuNt2WURQfXq+w95rUSsHyPJQtJC
| b7jKHUiUz9MHpF3Ps6wNxgRDcAtaeINnFGfEzZ6IEdSJj5xS2eqfs4d9AgaWu9tg
| e4xxWKA4GQyWmk7wGU2jOyos3l8MMqOZ2GwwwyEhAXUHO2Yum/W8qxQhPg9ELSDR
| f/VJmtbzUPh6/z+uOdACdFt4UVHLSwOlK8y0wjY4gQrSja5uaKxlcqAumdXT8esC
| AwEAAaOBiDCBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DBrBgNVHREEZDBighJy
| b2J5bnMtcGV0c2hvcC50aG2CG21vbml0b3JyLnJvYnlucy1wZXRzaG9wLnRobYIX
| YmV0YS5yb2J5bnMtcGV0c2hvcC50aG2CFmRldi5yb2J5bnMtcGV0c2hvcC50aG0w
| DQYJKoZIhvcNAQELBQADggEBAAsGLUCy8Js3afHawBAx0YZFA5d5Iql642LNZnBV
| e5gQaMVJ8Rh4MumKA1dWDKB2LNHRwVHY/DfAY3vQ/4pwXGb7ner0FQ2alYtzvnhJ
| uZp/tV2+1VdFCmt4ebePUk5nl/jpuKublRzg1uJVKK68UburV8jwoJz0io3S0Vhr
| VxKL3qeLbmzBf3LCam7QxYgq1q8AyzuIdMQ+n6XOgvxvT8HW3NpQTLDUhlQ5fKF3
| 8eIWPclVUHGjmBnC4sPzNda/cLOh6CTiq4uMaQ0lLO3/GvuKDCwxuH2QrBoTnM45
| 1z3miVXVhf9hyITAcHLk2V4ZCmjvyEjFihZFpXLKm8+lOCY=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
8000/tcp  open  http-alt
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 15
|_    Request
|_http-title: Under Development!
8096/tcp  open  unknown
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Date: Wed, 28 Apr 2021 19:10:29 GMT
|     Server: Kestrel
|     Content-Length: 0
|     X-Response-Time-ms: 0
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Wed, 28 Apr 2021 19:10:01 GMT
|     Server: Kestrel
|     Content-Length: 0
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 302 Found
|     Connection: close
|     Date: Wed, 28 Apr 2021 19:10:01 GMT
|     Server: Kestrel
|     Content-Length: 0
|     Location: /web/index.html
|   Help, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Wed, 28 Apr 2021 19:10:18 GMT
|     Server: Kestrel
|     Content-Length: 0
|   Kerberos: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Wed, 28 Apr 2021 19:10:19 GMT
|     Server: Kestrel
|     Content-Length: 0
|   LPDString: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Wed, 28 Apr 2021 19:10:30 GMT
|     Server: Kestrel
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 505 HTTP Version Not Supported
|     Connection: close
|     Date: Wed, 28 Apr 2021 19:10:02 GMT
|     Server: Kestrel
|_    Content-Length: 0
22222/tcp open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:99:92:52:8e:73:ed:91:01:d3:a7:a0:87:37:f0:4f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpLAsRYbJYyJ+bS8pAi+HpQupaD+Oo76UbITMFLP+pZyxM5ChxwyPbCYKIitboOoa3PWRe6V4UjBcOPtNujmv2tjCcETv/tp2QyuHPW6Go6ZzFDn0V8SUGhWIqwLge79Yp9FwG7y9tUxqnViQCJBfWtY5kJh11Iy/X4Arg1ifiT9FAExpVt3fgZl3HN6bxwyfFIQfxVqySgdQxSgqpVTU4Kc3pkZM1UL+c+kzfCYwiNJL0WHAYNl3u77H+Lp5J371BSJTWpaNS/bkS2KSqG/DPafCg4qhOn/rjDldHtQ3Eukcj0AGg/jBYbrYgAhsBXLJbhHTNTt4zrQe5sRArZ8ab
|   256 5a:c0:cc:a1:a8:79:eb:fd:6f:cf:f8:78:0d:2f:5d:db (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHcGmMvzfmx0EHLv5MLqqn0a4WVxxU7dcNq0F03HIZIY002BsPtaEXkbkcn5FdDsjDGuBWq+1JGB/xDI5py485o=
|   256 0a:ca:b8:39:4e:ca:e3:cf:86:5c:88:b9:2e:25:7a:1b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpTk+WaMxq8E5ToT9RI4THsaxdarA4tACYEdoosbPD8
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=7.91%I=7%D=4/28%Time=6089B30D%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,3F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x2
SF:015\r\n\r\n400\x20Bad\x20Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8096-TCP:V=7.91%I=7%D=4/28%Time=6089B308%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20clo
SF:se\r\nDate:\x20Wed,\x2028\x20Apr\x202021\x2019:10:01\x20GMT\r\nServer:\
SF:x20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(GetRequest,8D,"HTTP/1\.1
SF:\x20302\x20Found\r\nConnection:\x20close\r\nDate:\x20Wed,\x2028\x20Apr\
SF:x202021\x2019:10:01\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x20
SF:0\r\nLocation:\x20/web/index\.html\r\n\r\n")%r(HTTPOptions,8D,"HTTP/1\.
SF:1\x20302\x20Found\r\nConnection:\x20close\r\nDate:\x20Wed,\x2028\x20Apr
SF:\x202021\x2019:10:01\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x2
SF:00\r\nLocation:\x20/web/index\.html\r\n\r\n")%r(RTSPRequest,87,"HTTP/1\
SF:.1\x20505\x20HTTP\x20Version\x20Not\x20Supported\r\nConnection:\x20clos
SF:e\r\nDate:\x20Wed,\x2028\x20Apr\x202021\x2019:10:02\x20GMT\r\nServer:\x
SF:20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(Help,78,"HTTP/1\.1\x20400
SF:\x20Bad\x20Request\r\nConnection:\x20close\r\nDate:\x20Wed,\x2028\x20Ap
SF:r\x202021\x2019:10:18\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x
SF:200\r\n\r\n")%r(SSLSessionReq,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nConnection:\x20close\r\nDate:\x20Wed,\x2028\x20Apr\x202021\x2019:10:18
SF:\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(Termi
SF:nalServerCookie,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x
SF:20close\r\nDate:\x20Wed,\x2028\x20Apr\x202021\x2019:10:18\x20GMT\r\nSer
SF:ver:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(TLSSessionReq,78,"H
SF:TTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nDate:\x20W
SF:ed,\x2028\x20Apr\x202021\x2019:10:18\x20GMT\r\nServer:\x20Kestrel\r\nCo
SF:ntent-Length:\x200\r\n\r\n")%r(Kerberos,78,"HTTP/1\.1\x20400\x20Bad\x20
SF:Request\r\nConnection:\x20close\r\nDate:\x20Wed,\x2028\x20Apr\x202021\x
SF:2019:10:19\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n
SF:")%r(FourOhFourRequest,8D,"HTTP/1\.1\x20404\x20Not\x20Found\r\nConnecti
SF:on:\x20close\r\nDate:\x20Wed,\x2028\x20Apr\x202021\x2019:10:29\x20GMT\r
SF:\nServer:\x20Kestrel\r\nContent-Length:\x200\r\nX-Response-Time-ms:\x20
SF:0\r\n\r\n")%r(LPDString,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConne
SF:ction:\x20close\r\nDate:\x20Wed,\x2028\x20Apr\x202021\x2019:10:30\x20GM
SF:T\r\nServer:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 28 22:11:35 2021 -- 1 IP address (1 host up) scanned in 909.55 seconds
```````````````````````````````````````````````````````````````

Check the Ftp server but no anonymous login

Check the web server

cannot access it we have to modify /etc/hosts

these additional domains was found in domain (jellyfin.thm & petshop will be found latter )

Going through domains found monitorr service running

from there we get jellyfin domain

from reading github able to find

Going to login.php

Register myself

than click on _install.php database of the user has been uploaded than use those credentiels to access monittor settings

upload webshell after bypassing filter for me cmd.jpg.PHP works where cmd.jpg.PHP contains