Run a nmap scan to find for open ports.
Visiting port 80 will redirect to 443, which is a Elastix webserver.
Run a gobuster scan to find for directories.
A web mail portal.
An admin page.
Run a searchsploit
Google search the LFI exploit.
Use the LFI Exploit script below.
Found some credentials.
Login to the admin page with the 2nd password found.
Let’s use the credentials found to login into port 10000 aka webmin.
In the module config tab we are able to schedule a command. Let’s schedule a bash reverse shell nc listener.
Start up nc before the scheduled commands and root access is gained.
First flag is found in fanis
Root flag is found.
Persecure : my learning archive 