we start by changing the IP of our machine to the 10.10.10.IP subnet , instructed by the owner of the lap , then we can scan the host for open ports : nmap –T4 –A –p- 10.10.10.100 –vv

Running dirb and nikto gave us all the information about the hosted pages on this host, one of the pages is to sign up by using email and password to login:

And didn’t redirect me in, another login page in the blog:

Going through links from dirb found a txt file with the name password.txt

It’s a MD5 password : 1eaf4881358d93b034a642f7a200d4f9
Going deeper in the dirb links I found another txt file

Actually SPHPBlog is an exploit we can use it using Metasploit :

Now we have a user name MDSiqZ and a password ohobwv , we can login using them

Uploaded a shell using msfvenom and made a connect to the shell

On var/www/ folder there is a file mysqli_connect.php :

Inside the file there is a root password , su root and then the password gave us the root privilege
