We scan the host with nmap –A –T4 –p- 192.168.1.7 –vv
Dirb search results
I found a code inside the page http://192.168.1.7/bhaskara.html
This is a 64 code decoding it came with a path /bhaskara visiting the path gave us a file to download
The file is somehow encrypted tried different method and TrueCrypt worked but it needs a password , so we have to extract the hash first from the file using a john tool called Truecrypt2john.py ( google it )
python true.py bhaskara > hash
Now the password is Xavier , let’s use it to extract the file.
Then I downloaded all the images to my machine and stated to extract the information from them , I suspected on image over all Aryabhata.jpg as it’s different name and now showing on the main page.
Using the command steghide
Also when running dirb with –X php came with a result
Trying the page with LFI ?file=../../../etc/passwd came with :
As we can see from the output there is only one user which is isro.
Now following this article I was able to upload a shell to the host and get a connection shell :
using burpsuite we can repeat the page connect.php and upload our shell there , we going to try this method as it worked with me
this is what burpsuite will looks like after we decode out shell.php code from msfvenome to base64
We use msfconsole to get a shell with the settings in the shell.php file
Then we break jail with python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
As we can see we can add new user with root privilege.