htb-linux-2-vault - My-oscp-all-things

10.10.10.109 ### information gathering ``` 22/tcp open ssh 80/tcp open http ``` ![[Pasted image 20220115182652.png]] users: Sparklays ``` feroxbuster -u http://10.10.10.109/sparklays/ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,txt -t 200 ``` ![[Pasted image 20220115183648.png]] ### foothold http://10.10.10.109/sparklays/design/changelogo.php we can upload a php shell ![[Pasted image 20220115185412.png]] ![[Pasted image 20220115185535.png]] Linux ubuntu 4.13.0-45-generic #50~16.04.1-Ubuntu SMP Wed May 30 11:18:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux ``` linux/local/44298.c linux_x86-64/local/44300.c linux/local/43418.c linux/local/47169.c ``` ![[Pasted image 20220115190456.png]] ![[Pasted image 20220115191933.png]] ![[Pasted image 20220115192202.png]] dave : Dav3therav3123 ``` itscominghome xxj31ZMTZzkVA addr:192.168.122.1 5902 5901 5900 /home/dave/.gnupg/pubring.gpg gdb /home/dave/.local/share/keyrings ** /usr/share/keyrings ** /var/lib/apt/keyrings ** /home/dave/.local/share/evolution/addressbook/system/contacts.db ** /usr/share/bash-completion/completions/passwd x /usr/share/lintian/overrides/passwd x /home/alex/Downloads/server.iso ? ``` ``` Found: /var/lib/colord/mapping.db: SQLite 3.x database Found: /var/lib/colord/storage.db: SQLite 3.x database Found: /var/lib/fwupd/pending.db: SQLite 3.x database Found: /var/lib/mlocate/mlocate.db: regular file, no read permission Found: /var/lib/nssdb/cert9.db: SQLite 3.x database Found: /var/lib/nssdb/key4.db: SQLite 3.x database Found: /var/lib/nssdb/secmod.db: Berkeley DB 1.85 (Hash, version 2, native byte-order) Found: /home/dave/.config/libaccounts-glib/accounts.db: SQLite 3.x database, user version 1 Found: /home/dave/.local/share/evolution/addressbook/system/contacts.db: SQLite 3.x database Found: /home/dave/.local/share/zeitgeist/activity.sqlite: SQLite 3.x database ``` ``` 192.168.122.4 192.168.122.5 ``` https://0xdf.gitlab.io/2019/04/06/htb-vault.html ``` dave : dav3gerous567 -> 192.168.122.4 ``` user.txt : a4947faa8d4e1f80771d34234bd88c73 ![[Pasted image 20220115202800.png]]