table of Contents
collect message
Host discovery
Port scan
Only port 80:
Directory scan
Visit every accessible path:
Homepage:
nothing/pass:
secure/:
Vulnerability discovery
Get a similar password dictionary, a zip file.
Download the zip file:
A password is required. Use the obtained password freedom. After decompression, it is in mp3 format, but it cannot be played:
Open with text:
obtain a user name and a background, open:
use diana to log in successfully: the
website framework is playsms.
Search for CMS vulnerabilities:
three belong to msf, use msf:
use the first one, set:
success.
The second one succeeded; the third one succeeded.
Right escalation
First use nc reverse shell:
Use dirty cows to escalate rights (find, sudo, attempts to no avail):
Enter the /tmp directory, kali starts the http service, wget downloads, compiles and executes.
to sum up
Obtain more information based on known information (information collection through information collection).
Use version vulnerabilities.