->lazyadmin




User part :



-> Run Nmap Scan





-> 2 ports are open, so lets check for port 80





-> Nothing much, so i ran ffuf for directry search, i got 1 directory





-> i started to run directory search to the directory i got now, and i got a new directory





-> i again run directory search to the directory i got and got a file





-> That was a login page, but i don't have any credentials. So i started to look deeper





-> i started with github, becouse the source code is available in github and i got 'changelog.txt' for checking version





-> now i got the version





-> i checked for exploits, for the first exploit i need credentials. The 2nd exploit was the backup file is disclosure





-> i got where will be the backup file





-> i open that directory and got backup





-> I downloaded it and i searched for password, i got username and a hash password





-> with the help of hash-identifier i found that was a MD5 hash





-> using online hash cracker i got the password





-> using the credentials i can login to manager account





-> in this i got the version





-> i search for exploit and copied that exploit to current directory





-> in this exploit, it adds 'http://' before host and '/as/' after host





-> i run exploit and got shell, i got user flag





Root Part :



-> i searched for the command i can run with root priviliage





-> in that file, it is executing /etc/copy.sh .





-> i copied code from PayloadsAllTheThings





-> i wrote that to 'copy.sh' and run that command which i have root priviliage and got root shell