Thursday, 7 July 2016

Sidney challenge

Let's get to the point.


Great, target serves only one open port - HTTP. Let's see how looks default web page

Nice :-) I look at the source code and above picture is located on commodore64/c64_1280x1024.jpg, so let's see /commodore64/

So nice picture, but comments is not nice for us. I am not a kid! :-)
Looking at source code I have found something useful I think

Great! We know username and we know how look like a construction of our password. As far as I know it would be mosABCD or something like that. So, we need to generate our wordlist which will contain mos concatenated with all possibilities of ABCD (10 to power 4).
OK, we have prepared wordlist to brute-force but we don't know where is located admin panel. Let's execute dirb

Let's look at /commodore64/index.php

OK, I decided to run hydra and

Excellent! No we are able to log in!

Wow! This panel is really simple. I am pretty sure that uploading PHP reverse shell script will be very easy. So, let's find it out.

Amazing! We did that.

We have got limited shell! I examined OS version and it is Ubuntu 16.04 LTS. I have found exploit and...

Game over!