Vulnhub Al-WEB-1.0 Walkthrough

We start by scanning the host with nmap –A –T4 –p- 192.168.1.3 –vv

Dirb search came with robot.txt :

The path http://192.168.1.3/se3reTdir777/ gave #1 for admin #2 for root #3 for mysql

Let’s fire up BurpSuite and see how this is going to work:

Now we save this information to a file sql.txt and run it through sqlmap

sqlmap -r sql.txt –dbs –batch

We have two databases, let’s dump them all to see:

sqlmap -r sql.txt -D aiweb1 –dump-all –batch

They all a code64 passwords:

t00r       FakeUserPassw0rd

aiweb1pwn  MyEvilPass_f908sdaf9_sadfasf0sa

u3er       N0tThis0neAls0

Then I ran dirb again on the other path /m3diNf0/ and came up with a file info.php:

Viewing the page we got a lot of information about the host configurations:

Then I had no idea what to do from here till I figured it out after some time, first the php file gave me a lot of information, but where to put it??

Then I went back for the sqlmap and I used the sqlmap with input sqlmap -r sql.txt –os-shell:

I have some sort of low privilege shell, but every time I put a command it asks me to retrieve the output, which is kind of annoying really.

Then I found a file where I’m right now called tmpubuno.php, viewing it gave me a page with upload box.

I can upload a shell now from here, so let’s do it:

Got shell and the best part is I was trying a lot of ways till I find out that I was able to write directly to the passwd file so what I did is I just created a new user and added to passwd file and then I got root.

openssl passwd -1 –salt hacker 123456

Then switch user su hacker

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s