Test 2
1
markdown
1
2
3
def foo
conf tekst
end
jakis dziwny preformatowany długi testt tekst, erwe er ewrewr
pre{ background-color: #EBECE4; }
http://172.16.1.195/index.php
driftingblues is hacked again so it's now called drippingblues. :D hahaha by travisscott & thugger
http://172.16.1.195/index.php driftingblues is hacked again so it’s now called drippingblues. :D hahaha bytravisscott & thugger
This is a paragraph1. ciekawe czy skoczy co linie
This is a paragraph2. linia 1 linia 3
tluamczenie z www.deepl.com
Recently I was looking for something where I could apply Pivoting (get into the server that is behind the server being attacked). On a site with vulnerable machines Vulnhub I found something like this: myHouse7: 1. Unfortunately, this machine can boot with errors, but there are soluions for how to remedy this. On XCP-NG the issue is even more complicated (incompatible interface). How to change the interface to make it work on XCP-NG I wrote here. One more piece of advice from my side regarding myHouse7. When you install the image, do not fire it up completely, but immediately enter the “fallback” mode. Change the interface to eth0 and copy the files from /home/bob/setup somewhere. If it crashes, the installation files will be deleted and you will have to install the virtual machine from scratch. From what I remember the “autostart” file is in /etc/rc.local. And the Docker image installation script is in /home/bob/setup/buildDockerNet.sh. From my notes, if something goes wrong, you need to delete /home/bob/setup/config and then run ./home/bob/setup/buildDockerNet.sh. At first I think you need to convert the network to ETH0 and only then, if everything is ok, run ./home/bob/setup/buildDockerNet.sh. Unfortunately I don’t remember exactly how it was, but I assume everything went well and the virtual machine started. As I mentioned Docker, there are 7 containers running from it on the machine. We have the first flag by the way, and there are 20 or 19 of them, and the author described it well. The flag has the notation **, where **xxxx is a number in the range 1…9999. I won’t describe the whole walkthrough. A partial soluation is here and here. Motasem Hamdan in the second part focused on pivoting, but the author took some shortcuts and used it by accessing the server on which Docker is running. And if we do not have such access, what then? Metasploit and its port forwarding (portwd command) comes to our rescue. However, it doesn’t really work that well either. For example, I was not always able to connect via Metasploit pivoting to the Mysql database (more on that later), but I was able to connect to the Docker server which is SSH enabled. I will describe here pivoting with and without Metasploit, with access to the server and port forwarding via SSH -L.
Getting started
I’m not going to describe port scanning, because you probably already know it very well. I will mention that Anchor CMS version 0.12.7 is installed on port 8115. You can download the code and see how it all looks like there. From the browser side we can navigate the directories and e.g. go to http://172.16.1.167:8115/anchor/. All directories are as in the source. What caught my attention, is the entry in the first post: /timeclock/backup/ http://172.16.1.167:8115/. Going to http://172.16.1.167:8115/timeclock/backup/ we get beautiful access to Shell, thanks to browse_backups.php command. Firing it up we have a listing of the directory, and this is already a clue to throwing an exploit there. Let’s run the recommended command. We can see that the ls%20-lha command displayed the contents of the directory:
Exploit
Let’s use Metasploit to upload the exploit. :) We will use exploit/multi/script/web_delivery, and in it the linux/x86/meterpreter/reverse_tcp payload. Unfortunately the PHP Meterpreter payload does not have all network options. E.g. there is no arp and ifconfig command. There is portfwd - a port forwarding command, but sometimes it may not be enough.
Zostaw komentarz