Buy Me A Coffee


->OpenAdmin




Run Nmap scan against the IP





Go to the Website , We Can see the Default apache webpage





search for directories and files in the webpage and i got music directory





Go to the website,there are some menu option go throught the options





When i looked into login, it is more intresting,the version is not the latest version,
We can see the version is 18.1.1





So i searched for exploit and i found exploit from exploitdb





Run the Exploit and we got the shell





Go to /etc/passwd and we can see the users are jimmy and joanna





After Some enumeration in the web directory shell,i found an intresting file
in local/database_settings.inc.php , that file have database creadentials.





We found jimmy and joanna are the users from /etc/passwd ,
so i tried with jimmy and joanna, the password is correct for jimmy





After some enumeration in the web directory i found a intresting files





Reading the main.php, we can see the file id_rsa of joanna is storing to a variable output and printing the output,
so we need to find where is it printing, for that we need to find the port where we can found it





While running netstat we can see a port 52846 is running in localhost





We found a main.php is calling joanna's id_rsa of ssh, so i look for main.php in localhost and it print joanna's id_rsa





For Cracking Password from the id_rsa file i used ssh2john and john. After the password cracking i got the password id "bloodninjas"





we got password and rsa file,so lets login to joanna





Now lets check for commands that we can run with sudo, and we got we can run nano as root





Open the nano with sudo command





Go to GTFObins we found nano can execute shell





So i tried to execute shell in Nano ,by opening nano then ctrl+R then ctrl+X
then can copy paste the third line in there and hit enter, we got root shell





Now we can read the root.txt