sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
Initial access = libreoffice .odt macro
- you can shell exec easily, base64 encoded powershell revshell
- Make sure you edit the custom actions to execute the macro on open!
Priv esc:
apache user had SeImpersonate ! - any potato (god) or printspoofe
Lessons:
Check other users !!! can you pivot to them? what can they do?