From nmap, there are ssh and http service.
This is the web page.
From nmap, we can see that it runs
nostromo 1.9.6, so I search it with searchsploit. There is a RCE python script.
With that RCE script, we can get the reverse shell as
I don’t have permission to access david’s directory.
/var/nostromo/conf/nhttpd.conf, it seems that there is a directory
/home/david/public_www/protected-file-area/, there is a
Unzip that file, I got
.ssh, and got the passphrase
hunter with John the Ripper.
Now, I can ssh as
/bin/, there is a bash script. It runs
journalctl with sudo.
I run the same command, and type
!/bin/sh, now I got a shell as