service Enumeration
based on the picture on nmap, I found some open ports, such as port 22 (ssh) and 80 (http)
vulnerability Assement
here i try to inject the login form, but it not works.
so i try to go to http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid # photos
then i try to inject the id parameter
Exploit
here i use sqlmap to inject the web page.
root @ bt :/ pentest / database / sqlmap #. / sqlmap.py-u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid # photos"-p id - dbs - level = 3 - risk = 4 - threads = 8
here i found three databases.
So I will use the database gallery to see what tables are availabe.
I found seven tables, so I will dump the table dev_accounts.
Here I found loneferret password. So I try to use it for login using ssh.
It works, I successfully enter into the server.
And I also found an interesting file on this folder.
We can see, that there is a newly installed software for editing, creating, and viewing files. And use it for, please use the command 'sudo ht'. And I guess, this software is an editor.
So I try to use it to see the / etc / shadow
And it works, I'm on root now.
Alhamdulillah ....:D
No comments:
Post a Comment