From nmap, there are ssh and http service.
This is the web page.
With gobuster, we found that there is a directory
/ona/, which is running OpenNetAdmin.
I tried to use the shell script in searchsploit for OpenNetAdmin.
I input an urlencoded reverse shell command for
And we get a reverse shell as
www-data. However, we cannot access jimmy and joanna’s directory.
/var/www/html/ona/local/config/database_settings.inc.php, I get the password.
With this password, I successfully connect to ssh as jimmy.
/var/www/internal/, there is main.php, which will print joanna’s id_rsa.
netstat, I found that it should be listened on port 52846 locally. I curl localhost at that port to get id_rsa.
I use john the ripper to get its passphrase
I connect to ssh with that key and get
sudo -l, I found that I can run
/bin/nano /opt/priv with anyone’s privilege.
^R^X, and type
reset;sh 1>&0 2>&0. I get the shell as root.