I scan the target with nmap tool.
I found the vulnerabiliy at the http service version.
https://www.rapid7.com/db/modules/exploit/multi/http/nostromo_code_exec/
I use the exploit and search the vulnerability that can connect via ssh.
I look nhttpd.conf and there may be instrasting information to use later. I change directory /home/david/public_www
There is a file that extenion is tgz. I copy the zip to unde the tmp directory.
My purpose is that I use authorized_keys to connect ssh.
I copy the content of the authorized_keys. I have to crack the key’s hash.
password=hunterI connect to ssh
under the /david/bin file, there is a sh file that can be run and I run the sh file and I get the some errors. Below the screenshot is the content of the server-status.sh. I recognize that the sh file can run sudo command without any password.
I run the command an I get the error that I mention above.
After between 1 and 2 hours, I change the shell and command is executed successfully.
