Scan the host with nmap : nmap –T –A4 –p- 192.168.1.10 –vv
Lets use dirb and nikto to gather more information:
Dirb and nikto came with some listing of directories … two of them were interesting … both of them are providing login with username and passwords :
Its running LoutusCMS service , searching for the service using searchsploit came with a result:
Next we start metasploit and search for LotasCMS
We got a session .. run shell and then python -c ‘import pty; pty.spawn(“/bin/bash”)’
Navigating through folders we can see gallery folder and there is a file called gconfig.php …open the file and there is some information we can use as username: root and password: fuckyou ….lol
As I said before there were two login pages , the other one is using phpmyadim and we going to use these credentials to login
the gallery page have a php expoit so I ran it into sqlmap –u http://192.168.1.10/gallery. php?id=1 –dbs –dump
we got two username and their hashes , it’s MD5 hash and it’s easy to decode online
loneferret : starwars
drge : Mast3r
Running chechsec.sh gave an error xtrem-256color … google it and came with a solution export TERM=xterm
Head to /etc/sudoers and add
Trying sudo /bin/sh .. and we gor ROOT
