environment
kali:192.168.235.148
Target machine: put it in the same segment as kali
infiltration process
If you don’t know the address of the target machine, use nmap to scan it first
nmap -sP 192.168.235.0/24
Find the address of the target machine: 192.168.235.132
Continue to scan ports
nmap -A 192.168.235.132
Opened 22ssh, 21ftp and 80http ports
FTP
FTP is the abbreviation of File Transfer Protocol (File Transfer Protocol), which is used for two-way transmission of control files on the Internet. It's also an app.
In the Tcp/ip protocol, the FTP standard command TCP port number is 21, and the Port mode data port is 20. The task of the FTP protocol is to transfer files from one computer to another, regardless of where the two computers are located, how they are connected, or even whether they use the same operating system.
The FTP transmission uses the TCP packet protocol, and the TCP is established; a three-way handshake will be performed before the connection. However, the FTP server is more troublesome, because the FTP server uses two connections, which are the command channel and the data channel. Because it is a TCP packet, both connections need to go through a three-way handshake.
Try to log in to the ftp service anonymously
anonymous
It is found that there is no password to log in successfully, ls checks that there is a zip file to download him
get respectmydrip.zip
Open it and find that a password is required, use the tools that come with kali fcrackzipto blast
fcrackzip -D -p rockyou.txt -u respectmydrip.zip
Among them rockyou.txtis the dictionary that comes with kali
The password to run out is 072528035, you can see the txt content
There is also an encrypted compressed package inside, but it cannot be cracked
80http
visit port 80
Nothing, scan his catalog
dirsearch -u http://192.168.235.132/
have a robots.txtvisit to see
continue to take a look/dripisreal.txt
translation
English: hello dear hacker wannabe,
go for this lyrics:
https://www.azlyrics.com/lyrics/youngthug/constantlyhating.html
count the n words and put them side by side then md5sum it
ie, hellohellohellohello >> md5sum hellohellohellohello
it’s the password of ssh
Translation: Hello dear hacker want,
Go listen to the lyrics:
https://www.azlyrics.com/lyrics/youngthug/constantlyhating.html
count n words and put them side by side, then md5 sum it
ie, hello hello hello >> md5sum hellohellohellohello
This is the password for SSH
This should find the ssh password
go see again/etc/dripispowerful.html
This should be on the server, the webpage is not accessed
In this case, there should be a file inclusion vulnerability here.
Test index.php directly, the page exists, so you need to find the parameters
At this time, the txt prompt downloaded from the ftp service above is used.
Use dripas parameter to file include
It is determined that there is a file containing a vulnerability, continue to read/etc/dripispowerful.html
translation
The password is: imdrippinbiatch driftingblues was hacked again so it is now called drippingblues. D: Hahaha
pass
Travisscott & thugger
The password is imdrippinbiatchan account test, it should be Travisscott & thuggerone of them
ssh
Account: thugger
Password: imdrippinbiatch
connection succeeded
Then ls saw that there is a user.txt in this directory
md5 decryption
look at the process
ps -ef
polkitdcan be used to elevate rights
polkitd privilege escalation
Find the privilege escalation script
https://github.com/Almorabea/Polkit-exploit
Download to the target machine
After running, you will get root privileges
Just find the flag in the root directory at the end