Goal: Get the root flag of the target.
Difficulty: Easy to Intermediate
Lab Setup:-
Download this machine from the link and import it into the virtual box.
Let’s start with reconnaissance.
Press enter or click to view image in full size
Here is my machine IP 192.168.1.111
Scanning :-
Press enter or click to view image in full size
Press enter or click to view image in full size
Multiple ports is open in that machine.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql syn-ack MySQL 8.0.19
33060/tcp open mysqlx? syn-ackLet’s move forward with Port 80
Press enter or click to view image in full size
Nothing intresting it shows the cmsms is running, checked with directories but nothing found crucial only found admin panel, but for accessing we have to use credentials.
Move forward with another port 3306
Get Rahul’s stories in your inbox
Join Medium for free to get updates from this writer.
Tried with default credentials and it got worked.
Press enter or click to view image in full size
SO let’s check the admin credentials.
Found admin password hash, and tried to crack it using different wordlists and online tool but not cracked so now the only option is to change the admin password.
After changing the password now its time to login to admin panel and get the reverse shell.
Press enter or click to view image in full size
Let’s upload a shell.
After enumerating found one exploit in exploitdb and according to this we can upload .phtml and .ptar in cms.
Press enter or click to view image in full size
So i uploaded it and get the reverse shell.
Now got a password and shadow backup file and we have read permission.
So let’s crack the shadow password.
Press enter or click to view image in full size
Now the shadow is cracked and got a password of root.
Press enter or click to view image in full size
Boom! We got a root.
Happy Hacking