💵Billing (Linux)
Some mistakes can be costly.
Enumeración de Red
Nmap
sudo nmap -sS --min-rate 5000 -p- --open -vvv -n -Pn 10.10.21.62 -oN puertos
nmap -sCV -p80,3306,5038 10.10.21.62 -oN nmapPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
| 256 35:bd:a2:17:f2:46:71:d4:7e:b5:c7:b5:ac:33:15:e8 (ECDSA)
|_ 256 46:d6:34:86:cf:cc:d5:c5:87:a8:78:8a:32:95:15:9a (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/mbilling/
| http-title: MagnusBilling
|_Requested resource was http://10.10.21.62/mbilling/
|_http-server-header: Apache/2.4.62 (Debian)
3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized)
5038/tcp open asterisk Asterisk Call Manager 2.10.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEnumeración de Servicio Web
Ffuf
Directory Listing
/mbilling/README.md→ MagnusBilling version 7
Explotación: CVE-2023-30258 (magnus-billing-v7-exploit)
Intrusión en el Sistema
Shell: Web service user 'asterisk'
Enumeración Post-Intrusión
sudo /usr/bin/fail2ban-client→ ALL (NO PASSWORD)
Fail2Ban Privilege Escalation
Compromiso del Sistema
Shell: Root
Última actualización