Buy Me A Coffee


->Traverxec


Step 1 :


Run Nmap Scan




Step 2 :


run dirsearch for directories in the website




Step 3 :


look for whatweb it recognises what web technologies
including content management systems which is used in website,
You can see it's using nostromo server and it's version




Step 4 :


search for nostromo exploits ,
Google bash script for this exploit and you can see bash scripts




Step 5:

Using the bash script we found from google You can interact with that server ,
So you can get reverse shell using nc command





Step 6 :

We know that it's using nostromo server ,
so search for nostromo folder,and go to the folder and
there is a conf folder go to the conf folder



Step 7 :

Read nhttpd.conf file and you can see there is a
folder inside the david directory which is public_www



Step 8:

Go to The Folder,there is a protected-area folder go inside into that,
we can see a backup file of ssh in there



Step 9:

Copy that file to /tmp/ji and unzip it , You can see 3 file (authorized_keys,id_rsa,id_rsa.pub)





Step 10:

Copy the ssh key and save it in your machine



Step 11:

To crack the password first use ssh2john and crack password with john



Step 12:

Now you got password and you can login to the ssh of david



Step 13:

You can see server-stats.sh inside david directory,read the file ,
it's using journalctl by sudo command



Step 14:

Going through GTFObins ,we can see journalctl and we can be
root through the command execution given below



Step 15:

run the same which we seen in that server-stats.sh file,and the write
!/bin/bash after the execution ,
You successfully root priviliaged and you can read root file