Rustscan
1 | rustscan -a 10.10.156.100 |
Output:
1 | PORT STATE SERVICE REASON |
Port 80
We found the domain name:
I have to add it to /etc/hostsskycoursiers.thm
Track Order
When I click on search it’s doing this request:
1 | http://10.10.156.100/v2/admin/track_orders?awb=sdfsdf+sdf+sdf&srchorder= |
But:
sqli
I just had to google awb= to find this:
https://www.exploit-db.com/exploits/41113
We just need to exploit it.
It won’t work on this page because of the 404 error.
Let’s create an account an login.
Inside the pannel
http://skycouriers.thm/v2/ResetUser.php
With burpsuit:
Maybe I can also change the email adress to change the admin password
[email protected]
It’s working, I’m logged as admin.
I can change my profile picture now.
Let’s upload php file with a revershell from pentest monkey.
I change the value in burp directly:
This is where the image is stored.
/v2/profileimages/revs.php
I listen nc -nlvp 4949 the open it:
http://skycouriers.thm/v2/profileimages/revs.php
Shell
Hint for later
.sudo_as_admin_successful form webdeveloper
Root
I’m tired, my head hurt, I need to drink more water…