- This question is hard, and Djinn: 1 compared, as the author puts it, there are many similarities. Still open the ports
You can see the open five ports, 1337 port is the web, there is the same as djinn1, write your wish, but send to god.
- Therefore dirb performed at port 7331: the following results:
This information is of course aware of the download source, download the following documents (only paste a key part)
The author tells me this is the key to the request, saying there may well use RCE, the beginning I thought it was silly to change the script to connect to a server running it, but try for a long time can not be connected. One big God has given me a little inspiration, began RCE journey;
- first step:
I know this should know how to do it.
- Step two: use msfvenom build scripts .elf file. And downloaded to the target drone
This is finished after three commands can be seen in the drone / tmp shell (It is worth noting here is -O capital, or you will find it impossible to perform the specific reasons wget -h can be learned) connected with msf , to get the icon file.
Nitu.kdbx not see that file, then downloaded to the attack machine is to use keepass2 open you will find the original creds.txt useful, and login to get nitish: & HtM $ Gd $ LJB, this time not in a shell window, feels awful. Quickly with powerful ssh, really fragrant.
Netstat 2843 after the discovery of the port was open, and then try to listen:
- Step Three: Reverse connection script
(Above id replaced with the phrase off)
And monitor the client will get ugtan the shell, this time to see the mail / var / mail / ugtan, found in the directory / best / admin / ever / create clean.sh, or the above script statements (In other ports), execution (do not forget + x), finally listens get root privileges.