HA of VulnHub Shooting Range: NARAK

HA of VulnHub Shooting Range: NARAK

First scan the surviving host ip:

Execution command: nmap -sV -p 1-65535 192.168.198.148

First check port 80, which is a web page:

Directory scan:

Found a 401 login page, use cewl to generate a dictionary:

Use hydra to blast it, hydra -L woldlist.txt -P woldlist.txt 192.168.198.148 http-get /webdav
get the account password yamdoot:Swarg:

Successfully entered:

There is no idea behind,,,emmmm , I searched webdav: It

seems that you can read and write directly to the web server? ? ? ? How to use it? ? ? ? Find a tool cadaver client program:

Upload shell.php:

monitor, access it, and get the shell:

Get interactive shell: python3 -c 'import pty;pty.spawn("/bin/bash")':

The next step is how to enhance the authority of the newer ,,, like:

after a look at the various documents found before we broke login password account, it seems no use:

and then found a hell.sh ?? Check:

brainfuck~~ Decode and get something similar to the account password chitragupt::

Check the user, three:

try to log in to ssh separately, luck is good, the first inferno goes in:

Check the file content, it is not root authority : I

was at a loss for a while, and I found write up on the back! After seeing the original use of the motd, is to modify the root password by modifying the banner displayed when ssh Online:

Go to the directory, modify the 00-header files echo "echo 'root:admin' | sudo chpasswd" >> 00-header:

Log again, su root just change the password:

mention the right Success, read the flag:

summary

I also learned a method of escalation of rights,,, but here is because the file can be written to lead to the success of the escalation of rights.
If 00-header is not writable, then,,,, but because of the shooting range, there are still gains. ! ! !