Checking out port 80 directs us to a login page on /login.php.
dirsearch.py against the web server reveals robots.txt
The contents of robots.txt is shown below:
Browsing to /admin_area shows the page below.
Viewing the source reveals sensitive information:
We can then login to /login.php with the credentials shown above. The following page reveals a web page for uploading files.
I then uploaded a PHP reverse shell which after upload showed a ‘success’ status message. Knowing the directory /uploaded_files/ exists we can then browse to this followed by the uploaded files name: http://192.168.152.25/uploaded_files/phpshell.php.
The page should hang and we will receive a shell on our
I could not see that Python was installed on this machine so I instead used the following command to upgrade the shell:
From here I transferred over
linpeas from my attacking machine and let it run. The script picks up the username ‘technawi’ which is an alternative user on the box.
cat on the credentials.txt reveals login information. We can then use
su to switch to the technawi user.
sudo -l against the user reveals we can any command as any user on this machine.
We can then run the command below to spawn a root shell.