EnumerationِWe will use NMAP for enumeration phase, So let`s GO !.
![Enumeration]()
ِSo NMAP found that port 22 and port 80 are open.
Let`s Check port 80.
![Port-80]()
ِOuch! look like someone was here before us.
ِLet`s view the source code.
![1-b-U1oqc-2-WAFbyzo4-CS6-Z6g]()
ِHe left a backdoor for us.
Now search for Xh4h web shell
![Capture]()
![1-b-U1oqc-2-WAFbyzo4-CS6-Z6g]()
Now let`s clone it and try them.
![tj5AChI]()
![image]()
![image]()
So it`s smevk.php webshell.
let`s open the shell and see what is in it.
Foothold ![image]()
We found the password.
let`s login.
![1-D9x-Hd7-S-k-La-Rzy-Guznj-RBg]()
We are logged as WebAdmin.
let`s discover what we can do.
![image]()
![i9uJTaY]()
![image]()
So i found that i can log in as webadmin by SSH.
let`s upload our public key.
![1-iv-UY-AD4zm-MI2-Hu-NMno-Q4w]()
Execute this to use your public key.
echo “your-publickey” >> authorized_keys in Execute option in /home/webadmin/.ssh/ directory
Let`s log in now !.
![image]()
Privilege EscalationWe need to see what i can do without sudo password.
We can switch to sysadmin
![image]()
User hash
![image]()
Let`s run Pspy to see runing proccess.
![image]()
Gotcha !.
![image]()
00-header displays when we log by ssh as webadmin so we need to make our reverse shell.
I used Pentestmonkey cheatsheet
![image]()
Start you nc and log as webadmin and you will get root access.
![1-9f-Z-f-RTAn3opew-C01-QSh-HQ]()
Thanks for Reading 🙏
ِWe will use NMAP for enumeration phase, So let`s GO !.
ِSo NMAP found that port 22 and port 80 are open.
Let`s Check port 80.
ِOuch! look like someone was here before us.
ِLet`s view the source code.
ِHe left a backdoor for us.
Now search for Xh4h web shell
Now let`s clone it and try them.
So it`s smevk.php webshell.
let`s open the shell and see what is in it.
Foothold ![image]()
We found the password.
let`s login.
![1-D9x-Hd7-S-k-La-Rzy-Guznj-RBg]()
We are logged as WebAdmin.
let`s discover what we can do.
![image]()
![i9uJTaY]()
![image]()
So i found that i can log in as webadmin by SSH.
let`s upload our public key.
![1-iv-UY-AD4zm-MI2-Hu-NMno-Q4w]()
Execute this to use your public key.
echo “your-publickey” >> authorized_keys in Execute option in /home/webadmin/.ssh/ directory
Let`s log in now !.
![image]()
Privilege EscalationWe need to see what i can do without sudo password.
We can switch to sysadmin
![image]()
User hash
![image]()
Let`s run Pspy to see runing proccess.
![image]()
Gotcha !.
![image]()
00-header displays when we log by ssh as webadmin so we need to make our reverse shell.
I used Pentestmonkey cheatsheet
![image]()
Start you nc and log as webadmin and you will get root access.
![1-9f-Z-f-RTAn3opew-C01-QSh-HQ]()
Thanks for Reading 🙏
We found the password.
let`s login.
We are logged as WebAdmin.
let`s discover what we can do.
So i found that i can log in as webadmin by SSH.
let`s upload our public key.
Execute this to use your public key.
echo “your-publickey” >> authorized_keys in Execute option in /home/webadmin/.ssh/ directory
Let`s log in now !.
Privilege EscalationWe need to see what i can do without sudo password.
We can switch to sysadmin
![image]()
User hash
![image]()
Let`s run Pspy to see runing proccess.
![image]()
Gotcha !.
![image]()
00-header displays when we log by ssh as webadmin so we need to make our reverse shell.
I used Pentestmonkey cheatsheet
![image]()
Start you nc and log as webadmin and you will get root access.
![1-9f-Z-f-RTAn3opew-C01-QSh-HQ]()
Thanks for Reading 🙏
We need to see what i can do without sudo password.
We can switch to sysadmin
User hash
Let`s run Pspy to see runing proccess.
Gotcha !.
00-header displays when we log by ssh as webadmin so we need to make our reverse shell.
I used Pentestmonkey cheatsheet
Start you nc and log as webadmin and you will get root access.
