Recording the first play htb away, though, is to see other people blog to do it, but also very rewarding.
About hack the box would not introduce more, wanted to test oscp recommend a small partner to practice here. I was ready to test ......
The first play, be sure to find a simple, point to their sweetness. So fancy following drone.
Look tree maps, you know that is a relatively simple question (the tone is not small), but for me this is white, it is still very rare.
A: nmap direct wave sweep, the following results
Open 80 port, you can see that after visiting opennetadmin, is a network management Web site can also see the version
Apart from anything else directly to kali to search to see if there are corresponding holes. searchsploit opennetadmin results are as follows
There are three, but the first version does not, one remote command injection, is a remote code execution. The last direct with a try:
./47961.sh http://10.10.10.171/ona/login.php, found runtime errors, read the error log and found that the shell may be written in the win, so wrap different formats and Linux, can not be resolved after running , so use the command dos2unix ./47961.sh under unix file into an executable file. In the run has been found to get the shell
Get the shell, view the current user. whoami, found www-data. Authority is very limited, nmap results can be seen drones also opened 22 ports, so the goal is to find ssh user can log in and password.
Command ls -la / home / This folder can see there are two or user jimmy joanna cat / etc / passwd- can also see there are two users
Then that information gathering again to see where it is possible to store the password. Finally we found a local / config / database_settings.inc.php file, database configuration file, find the password after opening. This attempt to log in with a password jimmy user. Landed successfully.
After the successful landing this time, there is no flag at jimmy user folders, you need to have users log in joanna flag. Information gathering again to collect information again collect information again, the important thing to say three times, information gathering can be said that throughout the infiltration process. And finally we found an important document has a main.php file in the / var / www / internal / directory.
Will generate a private key can login joanna. But if you let this file enforce it is clear from the file name, is certainly not visit the. So here also we need to continue to collect information, then you can view the apache configuration to see if there is other help; finally find the configuration file /etc/apache2/sites-available/internal.conf. Open and found to limit the IP access, only able to access the machine, so using the command: curl http://127.0.0.1/main.php, generate a private key.
After generating a private key needed to crack the password, log in to joanna user.
The problem is that because the number of file formats are not caused by ssh. The following should be like this:
破解:john --wordlist=/usr/share/wordlists/rockyou.txt sshjohn.
Password: bloodninjas
Try landing: ssh -i ssh.txt -l joanna 10.10.10.171, but found that reported the following error
Access to information, because ssh.txt file permissions to more, you can login after chmod 600 ssh.txt. After modifying login, password bloodninjas. Correct landing, found user.txt files in / home / joanna / directory. Get the flag. The next step is to take root access, read flag root of.
Whether to try to use the sudo command, can be found
You can see the last line, no password can execute these two commands.
Command: sudo / bin / nano / opt / priv
Get falg.
