Let's get to the point.
Scanning
Great, target serves only one open port - HTTP. Let's see how looks default web page
Nice :-) I look at the source code and above picture is located on commodore64/c64_1280x1024.jpg, so let's see /commodore64/
So nice picture, but comments is not nice for us. I am not a kid! :-)
Looking at source code I have found something useful I think
Great! We know username and we know how look like a construction of our password. As far as I know it would be mosABCD or something like that. So, we need to generate our wordlist which will contain mos concatenated with all possibilities of ABCD (10 to power 4).
OK, we have prepared wordlist to brute-force but we don't know where is located admin panel. Let's execute dirb
Let's look at /commodore64/index.php
OK, I decided to run hydra and
Excellent! No we are able to log in!
Wow! This panel is really simple. I am pretty sure that uploading PHP reverse shell script will be very easy. So, let's find it out.
Amazing! We did that.
We have got limited shell! I examined OS version and it is Ubuntu 16.04 LTS. I have found exploit and...
Game over!
