, ,

billu: b0x

Download the machine:



  • Web enumenration will lead to a login page that suggests to use SQLI
  • SQLI payloads do not work
  • Find a page that is able to use Local file read
  • Use the curl command to find credentials for a sql server
  • Login into the server and find creds for the main page
  • Check the server config files to find creds for root access


Run nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

Port 80

Since the page indicates to use SQLI, I tried with some payloads but results were negative. Let’s explore the other pages found on the directory enumeration.

/ test

Looks like there is a possibility to test for a LFI vulnerability.

** I found this is not LFI vulnerability as it only read files and not execute code. So its a Local file read vulnerability.

Test LFI vulnerability with the curl command.

We are able to use LFI exploits.

Let’s check if we can get some information on the SQLI restrictions by curling the index.php page.

Seems that we need to add “\” in our payloads.

I tried with few payloads but still unable to get pass. So I decided to curl the c.php and head.php files.

Looks like we have some mysql credentials.

But we need to find a mysql login page first. Let’s use a bigger list in our web enumeration.

Looks like we found it.

We can login the creds found in the c.php file.

Head to the auth database and we can get some creds.

We can use these creds to login to the main page.


However after some time adding and checking the users, I’m not able to get any leads.

Let’s try searching for the standard config file in phpmy.

Looks like we got root creds.

Privilege escalation

It actually works.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: