nmap shows 3 open ports: ssh, bind dns service and Apache http Default page
I copied request data from Burp to file: “request” and I used sqlmap to check for sql injection:
user and password send to login request:
admin’ or ‘1’=’1
‘ or ‘1’=’1
This allowed me to get authenticated
“Logged” user has access to this page:
It looks like utilizing linux ping binary. Maybe I can try escape from it
I received and netcat from machine
I tried simple TCP reverse shell
Netcat OpenBsd
linpeas.sh has shown potential way of privilege escalation
I read the documentation about laravel scheduling function and added schedule to Kernel.php:
I got the shell as a root, but it instantly dropped. This method is sensless, due to fact I have shell. I decided to add sticky bit to /bin/bash
