- Web page
- Started ncrack (try to get lucky)
- Downloaded image on webpage
- exiftool main.gif
- ran basic dirb (try to get lucky)
- found directory in comment of metadata
- chucked request in burp
- Found “key=” in the post data
- brute forced “key=” login user hydra with the following command.
hydra 192.168.1.209 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -P rockyou.txt -l user -t 10 -w 30 -o hydrasucksballs.txt
- Then it shows us a username input box so I ran sqlmap with the following
sqlmap --wizard --users --passwords
Please enter full target URL: http://192.168.1.209/kzMb5nVYJw/420search.php?usrtosearch=
- This gave us the password to the phpmyadmin directory
- Logged in with creds.
- Then we viewed the table and found two users.
- We took the hashed password of one user, kept messing with it. Finally we base64ed it and then deleted the last 3 characters that didn’t decode.
- Then we used CrackStation (online web tool replacement for JohN)
- Cracked the password that gave us ssh creds.
- Logged in.
- Check .bash_history
- Find ./procwatch looks like it runs the ‘ps’ command.
- Switch the $Path to the fake directory.
cp /bin/sh /var/www/backup/ps
- Faking the sh is actually ps.