Read my write-up for Previse
machine on:
TL;DR
User: Running gobuster
and found acounts.php
page, Using that we can create a new account, From the web portal we download SITEBACKUP.ZIP
file which contains the code of logs.php
, By reading the code we found RCE on delim
parameter and found also DB credentials on config.php
file. Using the RCE on logs.php
we get a reverse shell as www-data
, Cracking the hash of m4lwhere
user which takes from DB and login as m4lwhere
user.
Root: By running sudo -l
we found /opt/scripts/access_backup.sh
, Because we have permission to change the PATH
we just create our custom date
command to get a reverse shell as root
.