Goal: Get the root flag of the target.
Difficulty: Easy to Intermediate
Lab Setup:-
Download this machine from the link and import it into the virtual box.
Let’s start with reconnaissance.
Here is my machine IP 192.168.1.111
Scanning :-
Multiple ports is open in that machine.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql syn-ack MySQL 8.0.19
33060/tcp open mysqlx? syn-ackLet’s move forward with Port 80
Nothing intresting it shows the cmsms is running, checked with directories but nothing found crucial only found admin panel, but for accessing we have to use credentials.
Move forward with another port 3306
Tried with default credentials and it got worked.
SO let’s check the admin credentials.
Found admin password hash, and tried to crack it using different wordlists and online tool but not cracked so now the only option is to change the admin password.
After changing the password now its time to login to admin panel and get the reverse shell.
Let’s upload a shell.
After enumerating found one exploit in exploitdb and according to this we can upload .phtml and .ptar in cms.
So i uploaded it and get the reverse shell.
Now got a password and shadow backup file and we have read permission.
So let’s crack the shadow password.
Now the shadow is cracked and got a password of root.
Boom! We got a root.
Happy Hacking
