Thursday 7 July 2016

Sidney challenge

Hello,
Let's get to the point.

Scanning




Great, target serves only one open port - HTTP. Let's see how looks default web page























Nice :-) I look at the source code and above picture is located on commodore64/c64_1280x1024.jpg, so let's see /commodore64/

























So nice picture, but comments is not nice for us. I am not a kid! :-)
Looking at source code I have found something useful I think









Great! We know username and we know how look like a construction of our password. As far as I know it would be mosABCD or something like that. So, we need to generate our wordlist which will contain mos concatenated with all possibilities of ABCD (10 to power 4).
OK, we have prepared wordlist to brute-force but we don't know where is located admin panel. Let's execute dirb
























Let's look at /commodore64/index.php



















OK, I decided to run hydra and









Excellent! No we are able to log in!


















Wow! This panel is really simple. I am pretty sure that uploading PHP reverse shell script will be very easy. So, let's find it out.













Amazing! We did that.










We have got limited shell! I examined OS version and it is Ubuntu 16.04 LTS. I have found exploit and...









Game over!