We start by scanning the host with nmap –A –T4 –p- 192.168.1.3 –vv
Dirb search came with robot.txt :
The path http://192.168.1.3/se3reTdir777/ gave #1 for admin #2 for root #3 for mysql
Let’s fire up BurpSuite and see how this is going to work:
Now we save this information to a file sql.txt and run it through sqlmap
sqlmap -r sql.txt –dbs –batch
We have two databases, let’s dump them all to see:
sqlmap -r sql.txt -D aiweb1 –dump-all –batch
They all a code64 passwords:
Then I ran dirb again on the other path /m3diNf0/ and came up with a file info.php:
Viewing the page we got a lot of information about the host configurations:
Then I had no idea what to do from here till I figured it out after some time, first the php file gave me a lot of information, but where to put it??
Then I went back for the sqlmap and I used the sqlmap with input sqlmap -r sql.txt –os-shell:
I have some sort of low privilege shell, but every time I put a command it asks me to retrieve the output, which is kind of annoying really.
Then I found a file where I’m right now called tmpubuno.php, viewing it gave me a page with upload box.
I can upload a shell now from here, so let’s do it:
Got shell and the best part is I was trying a lot of ways till I find out that I was able to write directly to the passwd file so what I did is I just created a new user and added to passwd file and then I got root.
openssl passwd -1 –salt hacker 123456
Then switch user su hacker