Alfa: 1 vulnhub walkthrough

Information Page: http://www.vulnhub.com/entry/alfa-1,655/
Keywords: Enumeration | Web Application | Brute Force |Privilege Escalation

0x01 port scan

PORT STATE SERVICE21/tcp open ftp80/tcp open http139/tcp open netbios-ssn445/tcp open microsoft-ds65111/tcp open unknown

0x02 get the first flag

Use anonymous to access ftp and get a picture named milo.jpg.

Access port 80, traverse through the directory, on the page http://192.168.56.157/alfa-support/ get the prompt information:
So use the previous picture name to build a password dictionary through crunch, and hydra blasts to get the password milo666.

[email protected]:~$ crunch 7 7 -t milo%%% > 1.txtCrunch will now generate the following number of lines: [email protected]:~$ hydra -l thomas -P 1.txt ssh://192.168.56.157:65111[65111][ssh] host: 192.168.56.157 login: thomas password: milo666

Use ssh to log in and get the first flag.

0x03 get the second flag

After obtaining the shell, a routine operation, such as suid, sudo, crontab, backup password file, etc., all ended in failure, and in turn returned to the beginning, there is a sensitive file in the user directory .remote_secret.

At the same time, vncserver exists in the process.
It is estimated that the above password file is used to log in to vnc, but since vncserver is limited to local login, so here we use ssh as a socks5 proxy, and use vncview to load the password file under kali to achieve root access, and get the second flag.