Running nmap –A –T4 –p- 192.168.1.10 -vv
Running dirb we can see we have a file sitemap.xml
The page sitemap.xml got this line http://infosecwarrior.com/index.htnl so we need to edit our hosts to be able to access it:
In the page source there is a hidden code cmd.php and the mothed is GET … we need to change it to not hidden and the method is POST, we going to do this by viewing the page inspect elements:
A post box will show up in the page where we can view the passwd file and other commands can be used:
Using cat on all the files till i found something interesting inside the file cmd.php itself :
So now let’s ssh to it using the user name isw0 and the password 123456789blabla
Ok we have the user flag, let’s see what privilege this user has as root:
Ok the /bin/rpm is the only SUID that’s going to work, now according to this site cooolis we can exploit rpm using this command sudo rpm –eval ‘%{lua:posix.exec(“/bin/sh”)}’
