Buy Me A Coffee


Step 1 :

Run Nmap Scan

Step 2 :

run dirsearch for directories in the website

Step 3 :

look for whatweb it recognises what web technologies
including content management systems which is used in website,
You can see it's using nostromo server and it's version

Step 4 :

search for nostromo exploits ,
Google bash script for this exploit and you can see bash scripts

Step 5:

Using the bash script we found from google You can interact with that server ,
So you can get reverse shell using nc command

Step 6 :

We know that it's using nostromo server ,
so search for nostromo folder,and go to the folder and
there is a conf folder go to the conf folder

Step 7 :

Read nhttpd.conf file and you can see there is a
folder inside the david directory which is public_www

Step 8:

Go to The Folder,there is a protected-area folder go inside into that,
we can see a backup file of ssh in there

Step 9:

Copy that file to /tmp/ji and unzip it , You can see 3 file (authorized_keys,id_rsa,

Step 10:

Copy the ssh key and save it in your machine

Step 11:

To crack the password first use ssh2john and crack password with john

Step 12:

Now you got password and you can login to the ssh of david

Step 13:

You can see inside david directory,read the file ,
it's using journalctl by sudo command

Step 14:

Going through GTFObins ,we can see journalctl and we can be
root through the command execution given below

Step 15:

run the same which we seen in that file,and the write
!/bin/bash after the execution ,
You successfully root priviliaged and you can read root file