netdiscover
1 | sudo netdiscover |
rustscan
1 | rustscan -a 192.168.0.24 |
On the port 80 we have this page:
gobuster
1 | gobuster dir -t 100 -u http://192.168.0.24 -w ~/Documents/wordlist/directory-list-medium.txt --wildcard switch |
The javascript directory is forbiden:
There is a phpmyadmin page, let’s see if there is a index.php.
MD5 hash
1 | echo -n beelzebub | md5sum |
This string is a directory.
Beelzebub website
There is something but I can’t see it, the ip is hard coded in the website.
This in a wordpress website, I should see what is in the upload directory:
http://192.168.0.24/d18e1e22becbd915b45e0e655429d487/wp-content/uploads/
If you browse to Talk To VALAK you can see this page:
You can also found a password:
1 | Cookie=b7d0eff31b9cde9a862dc157bb33ec2a; Password=M4k3Ad3a1 |
I should do a scan on the word press website but it’s taking too much time to load, I will find the user on the login page of the VM.
User: Krampus
Password: M4k3Ad3a1
ssh
1 | ssh [email protected] |
Yes I’m in.
1 | cat .bash_history |
I’m will copy past this:
I’m root.
Flag: 8955qpasq8qq807879p75e1rr24cr1a5