- Enumeration gives us multiple pathways
- Use default credentials to gain access to an online bookstore
- Add a book that has a php reverse shell attached
- Once user access is gained , a password file is stored in the open
- SSH to the user and check for sudo permissions.
- Use GTFOBins to find for a root exploit
Run nmap scan to find for open ports.
Run a gobuster scan to find for hidden directories.
Found a clue on the contact page of the gym site.
Let’s check searchsploit for any exploits.
“Small CRM 3.0 is vulnerable to SQL Injection on it’s admin login because of insufficient user supplied data sanitization and the sql injection payload being executed. Attacker is able to acious payload, successfully taking over admin account.”
Enter the following payload in ‘Username’ and ‘Password’ parameter: ‘ OR ‘x’=’x
After some enumeration there’s isn’t much we can do.
The online bookstore has a admin login page.
Tried default creds like admin : admin and access is gained.
Create a new book and upload a php reverse shell in the image then click on the book to activate the reverse shell.
We find some passwords in a file.
SSH to the tony user.
Check sudo -l for priveledges.
Root access is gained.