HA of VulnHub Shooting Range: NARAK
First scan the surviving host ip:
Execution command: nmap -sV -p 1-65535 192.168.198.148
First check port 80, which is a web page:
Directory scan:
Found a 401 login page, use cewl to generate a dictionary:
Use hydra to blast it, hydra -L woldlist.txt -P woldlist.txt 192.168.198.148 http-get /webdav
get the account password yamdoot:Swarg
:
Successfully entered:
There is no idea behind,,,emmmm , I searched webdav: It
seems that you can read and write directly to the web server? ? ? ? How to use it? ? ? ? Find a tool cadaver client program:
Upload shell.php:
monitor, access it, and get the shell:
Get interactive shell: python3 -c 'import pty;pty.spawn("/bin/bash")'
:
The next step is how to enhance the authority of the newer ,,, like:
after a look at the various documents found before we broke login password account, it seems no use:
and then found a hell.sh ?? Check:
brainfuck~~ Decode and get something similar to the account password chitragupt
::
Check the user, three:
try to log in to ssh separately, luck is good, the first inferno goes in:
Check the file content, it is not root authority : I
was at a loss for a while, and I found write up on the back! After seeing the original use of the motd, is to modify the root password by modifying the banner displayed when ssh Online:
Go to the directory, modify the 00-header files echo "echo 'root:admin' | sudo chpasswd" >> 00-header
:
Log again, su root just change the password:
mention the right Success, read the flag:
summary
I also learned a method of escalation of rights,,, but here is because the file can be written to lead to the success of the escalation of rights.
If 00-header is not writable, then,,,, but because of the shooting range, there are still gains. ! ! !