Date
Apr 3, 2024 → Apr 4, 2024
Tag
Web
Linux
Local privilege escalation
腦經急轉彎
FTP
ELF
Scan
port
21 | FTP
22 | SSH
80 | HTTP
21 | FTP
this ftp allow Anonymous
find the file secret_stuff.txt, but don’t know how, change target
80 HTTP
the image has no infor
dirbsearch
path /robots.txt
Path /secret
the image dosen’t have any info
we need back to the ftp
back to FTP
again, for that file, found out it is a wireshark file, so we can analyze more.
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P\n
After tried all things, sup3rs3cr3tdirlol is a web path!!!!!!!
no file under the path
download file roflmao
that is a ELF file
I need a Hit
Strings roflmaowe can find that there is a sentence “Find address 0x0856BF to proceed”
Here we have two chose 1. it is a address data 2. it is a web path
let try web path first, since it is more ez than other way.
nice chose!
enmeration
tried hydra to brute force the ssh
no result and also tired it as web path.
hit 2
use other brute force for ssh and think more, the path said the pass contain in the folder, if the info inside the txt file isn’t password, then what about the file name?
FIND!
Username | Password |
overflow | Pass.txt |
hit 3
since it will kick us off line, so the machine must have crontab, but i tried cannot access, so we can try find cronlog.
we can see there will be a scheduled task running every 2 min
we can see this python file can edit by us, so we can add a one line reverse shell into it.
WALA!!!!