Ping
ping 10.10.10.84
Can ping the Machine.
Nmap Default Scan
nmap 10.10.10.84 -oN dnmap
Script and Service scan
nmap 10.10.10.84 -sV -sC -p22,80 -oN snmap
All port Scan
nmap 10.10.10.84 -p- --open -T5 -sV -sC -oN anmap
On Port 80
Looks like We have file read permission.
Lets check by reading /etc/passwd
Yes it worked..! We can see there is user named Charix.
First will read all the file listed on the site, while reading listfiles.php
We can see there another file we can read, that is pwdbackup.txt
Will read that
Looks like we found base64 encoded password.
After decding it to 13 time, we can get plain text password of charix
Now will try to ssh to the machine
can get user.txt file
After trying all privilege escalation methods, I landed on dead end. So I have listed the ports that are listening from Local host.
sockstat -4 -l
We can see there is vnc on 5901, 5801
We already have a secret file for the password, which we extracted from secret.zip
Now i want to get the loopback on port 5901 to my kali
ssh -L 5901:localhost:5901 charix@10.10.10.84
Now we can reachport 5901 from our kali machine
So I transferred the secret file to my kali machine and used vncviewer
vncviewer -passwd secret 127.0.0.1:5901
i got new session as root in vncviewer
I added my public key to authorized keys and ssh to the machine as root and got ssh session as root
cp /root/.ssh/id_rsa .
chmod 600 id_rsa
ssh root@10.10.10.84 -i id_rsa
And finally got root.txt
We are done with Poison…:)