🐧FunBoxEasy

192.168.234.111

Initial Scan

Nmap Scan

nmap 192.168.234.111 -sV -A -Pn

Port 22

Banner grab

Port 80

From the Nmap scan you can already see that robots.txt contains gym.

Dirbuster finds a lot of directorys at this IP.

Found a login page for /store/admin.php, takes admin:admin credentials. \

Found /store/database/www_project.sql. Cracking this hash just tells you the password is admin, which is already known.

Payload works for /admin login. https://www.exploit-db.com/exploits/48940

jyot' or 1=1#

Shell

Found that I could upload an image for the book. Uploaded php reverse shell.

Ran reverse shell through http://192.168.234.111/store/bootstrap/img/rev3.php

Found file /home/tony/password.txt

Connected via SSH.

Sudo -l

Root

Using https://gtfobins.github.io/gtfobins/pkexec/

sudo pkexec /bin/sh
PreviousPwned1NextDC-1

Last updated

Was this helpful?