/contentthat leaks CMS name. Searchsploit finds an exploit that leads us to a MySQL backup file, which leaks admin user's password hash. The password hash is just MD5 and we recover the plaintext password easily. Running Gobuster on
/content, we find another hidden directory
/content/asthat has a login form. Using the leaked credential, we can access the admin panel.
php-reverse-shell.php5and get a reverse shell as www-data.
sudo -lfinds that we are able to execute Perl as root. There is a backup script that executes
/etc/copy.shas root and
/etc/copy.shis world-writable. Store a Netcat reverse shell payload in it and run
sudo perlon the backup script. Then we catch a reverse shell as root.
http://lazyadmin.thm/content/. The CMS used is SweetRice:
/inc/mysql_backup. In our case, it is at
/content/inc/mysql_backup. Try to access this directory:
manageruser's password hash is leaked in this backup:
Password123, so the credential is
manager:Password123. Now we need to find a login page to utilize this credential.
/contentand we find a new directory
.php5bypasses the filter:
php-reverse-shell.php5, go to "Media Center", and upload it:
sh /etc/copy.shas root and