Download the machine:

https://www.vulnhub.com/entry/billu-b0x,188/

---

Overview

• Web enumenration will lead to a login page that suggests to use SQLI
• SQLI payloads do not work
• Find a page that is able to use Local file read
• Use the curl command to find credentials for a sql server
• Login into the server and find creds for the main page
• Check the server config files to find creds for root access

---

Enumeration

Run nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

Port 80

Since the page indicates to use SQLI, I tried with some payloads but results were negative. Let’s explore the other pages found on the directory enumeration.

/ test

** I found this is not LFI vulnerability as it only read files and not execute code. So its a Local file read vulnerability.

Test LFI vulnerability with the curl command.

Let’s check if we can get some information on the SQLI restrictions by curling the index.php page.

I tried with few payloads but still unable to get pass. So I decided to curl the c.php and head.php files.

But we need to find a mysql login page first. Let’s use a bigger list in our web enumeration.

Looks like we found it.

We can login the creds found in the c.php file.

Head to the auth database and we can get some creds.

We can use these creds to login to the main page.

---

Foothold

However after some time adding and checking the users, I’m not able to get any leads.

Let’s try searching for the standard config file in phpmy.

---

Privilege escalation

It actually works.