Scan the host with nmap : nmap –T –A4 –p- 192.168.1.10 –vv

Lets use dirb and nikto to gather more information:
Dirb and nikto came with some listing of directories … two of them were interesting … both of them are providing login with username and passwords :

Its running LoutusCMS service , searching for the service using searchsploit came with a result:

Next we start metasploit and search for LotasCMS

We got a session .. run shell and then python -c ‘import pty; pty.spawn(“/bin/bash”)’

Navigating through folders we can see gallery folder and there is a file called gconfig.php …open the file and there is some information we can use as username: root and password: fuckyou ….lol

As I said before there were two login pages , the other one is using phpmyadim and we going to use these credentials to login

the gallery page have a php expoit so I ran it into sqlmap –u http://192.168.1.10/gallery. php?id=1 –dbs –dump

we got two username and their hashes , it’s MD5 hash and it’s easy to decode online
loneferret : starwars
drge : Mast3r


Running chechsec.sh gave an error xtrem-256color … google it and came with a solution export TERM=xterm


Head to /etc/sudoers and add


Trying sudo /bin/sh .. and we gor ROOT
