Nmap Output

 

Nikto Output

 

Dirb Output

 

 

We see that the "/content/as" page is the login page.

 

"/content" page:

 

Here we see that there is SweetRice on the site.

 

If we search for "searchsploit sweetrice":

 

 

When we search for this exploit on the Internet

 

 

When we go to the inc folder, we can see there it really is.

 

 

In fact, we could find it just by navigating through the files that came up in the dirb scan. :D nvm

 

Backup File

 

 

Password:

 

 

We log in to the /content/as page with the login information.

 

When we browse the site a little bit, we realize that we can write code in the Ads tab.

 

The machine accepts the .php extension

 

Reverseshell:

 

 

Shell:

 

Before executing the file, we listen to the port.

 

We run the file and get the shell.

 

 

First Flag:

 

 

Privilege Escalation:

 

When we run sudo -l, we find a file that we can run with root permission.

 

When we print the file with “cat”, we see that it runs the file /etc/copy.sh.

 

When we look inside the copy.sh file, we see a ready-made reverse shell code. (Lazy Admin…)

 

 

We edit the IP address and port, listen to the port from the host and run the code.

 

Of course, we run the code with the path we have permission.

 

sudo /usr/bin/perl /home/itguy/backup.pl

 

 

Root Flag: